Face Your HIPAA Audit Like a Boss

What does a HIPAA compliance audit demand from you? If you pull together the right documents and data in advance, you’ll barely break your stride when the audit notification comes.

You take the goals of HIPAA seriously. You always strive to protect your patients’ information in your practice. However, if you’re like many independent practices or small healthcare businesses, you spend little time monitoring and documenting your adherence to your written HIPAA policy— assuming that you created a written policy in the first place.

So when you receive an email from OSOCRAudit@hhs.gov notifying you that the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is auditing your HIPAA compliance, it ruins your day. You may find it difficult, or perhaps impossible, to provide the required documents and data as quickly as they dictate. Furthermore, without adequate monitoring and documentation, you can’t know where your actual compliance stands.

Audits don’t have to be so stressful. You can ease much of the stress by getting yourself audit-ready now, without the time pressures of a command performance for OCR. Once you have reached a reasonable level of readiness and schedule some routine monitoring and updates into your calendar, you’ll be unfazed when the audit notification arrives.

Documents and Data to Have Ready for a HIPAA Audit

When the OCR comes knocking, you’ll have a very short window for responding, so documentation needs to be readily available. Be prepared to provide evidence of your compliance activities. Keep all of your IT logs or other compliance documentation organized – and be sure you have records for the past six years at a minimum. We typically recommend that our clients maintain records indefinitely.

If you’re faced with a HIPAA audit, OCR will ask you to produce the following:

1. HIPAA policies and procedures
2. List of business associates
3. Notice of Privacy Practices
4. Recent risk analysis
5. Evidence of workforce training
6. Evidence of monitoring
7. Evidence of technical and non-technical evaluations

HIPAA policies and procedures

Let’s start with the basics: you must have a written HIPAA policy and procedures document. Be warned: you can’t simply create policies in reaction to receiving an audit notice. You’ll need to show OCR the policies that you actually use— or cop to not having the full scope of legally-mandated policies and procedures in place.

It should be clear that these are implemented policies. If you purchased your policy documents as “forms,” there should be no remaining fill-in-the-blank fields. The policies should be fully customized to your practice and should contain no “draft” watermarks or indicators.

Has your HIPAA policy document been sitting at the bottom of a drawer since its creation? Compliance demands more. Your records should reflect that you’ve periodically and regularly reviewed your policies, and you must be able to demonstrate that your staff is trained on them and has access to them.

Furthermore, you’re required to retain your previous policies for six years, so you’ll need to produce those, too. HIPAA policies should be periodically updated, and the historical policies can help you demonstrate that.

See Related Articles:

Why Your Notice of Privacy Practices Alone Doesn’t Satisfy Your HIPAA Obligations

Does HIPAA apply to you? You might not be compliant.

Celebrity HIPAA Violations: Lessons from the Jussie Smollett Incident

List of Business Associates

You should be able to produce the names of all of your business associates (BAs). These are people or entities with access to your patients’ protected health information who perform services for you or act on your behalf but are not a part of your organization. Along with this comprehensive list of BAs, you should be able to produce current, effective business associate agreements for each of them.

Electronic health records (EHR) and medical records (EMR) companies are, of course, at the top of the list. Other examples of common business associates include:

• Medical billing company
• Medical transcription company
• Collection agency
• Email service provider (such as Google)
• Answering service
• Document shredding company

Notice of Privacy Practices

Provide your Notice of Privacy Practices, and be sure it matches up against your actual policies and procedures. It should contain the name of the practice’s point-of-contact for privacy complaints and list an effective date. It needs to be readily available for patients to review at your practice’s brick-and-mortar location(s). Be sure to retain copies of your previous Notice of Privacy Practices going back at least six years.

Recent Risk Analysis

If you haven’t performed a risk analysis lately, you’re not alone. The lack of a recent risk analysis is one of the most common deficiencies identified by OCR. 

You need to do risk analysis at least annually or any time that a security-impacting event occurs. This all needs to be documented. When you identify a security risk, you should create a risk management plan that outlines the corrective actions you’ll be taking to remedy it, or the mitigating factors that justify you not taking corrective action. 

Be sure that you have mechanisms in place to identify not just breaches but the causes of breaches. Where are the weak spots in your compliance? 

If a third-party is performing your risk analysis, be sure to retain all of their documentation and findings. If you’re performing it yourself, keep your detailed internal report in a format that can be easily and quickly delivered to auditors.

Evidence of Workforce Training

Are you using online HIPAA training sources? If so, be sure that you’re collecting proof of completion. If proof isn’t available, obtain training from another source. Documentation of compliance is crucial.

If you’re using a commercially-available HIPAA training product (generic online videos, etc.), you will need to supplement it with information specific to your organization. Your staff must be trained in your specific practices, points of contact, reporting procedures, and security tools.

Also, ensure that you offer training on issues that are of contemporary relevance – for example, hacking of healthcare organizations or breaches of high-profile patients’ data.

Evidence of Your Monitoring

It can be overwhelming for a small or mid-sized organization to monitor its compliance with all of HIPAA’s requirements. In many cases, HIPAA balances the burden of compliance with the level of risk. It’s crucial that your documentation demonstrates consistency in your monitoring activities. Even if it may fall short of HIPAA’s requirements, a consistent and attentive approach to monitoring is better than a sometimes-great-but-usually-nonexistent approach.

Evidence of Periodic Technical and Non-technical Evaluations.

You’ve likely relied upon outside experts to evaluate your IT systems’ compliance with HIPAA. Such experts are useful for identifying new ways to protect patient data or new efficiencies in your systems. Retain all evidence of the evaluations performed by experts and keep a copy in your HIPAA file.

When to Call Your Attorney

Your attorney should respond to an OCR HIPAA audit on your behalf— or, at a minimum, counsel you through the response process. It’s important to provide just the right amount of information (not too much, not too little). An experienced attorney can help you find that line. And naturally, anytime you deal directly with the government, you can feel more confident when a lawyer has your back.

Wherever you stand in your overall HIPAA compliance process, Jackson LLP’s healthcare attorneys can get you on track. To learn more about developing your HIPAA policy, assessing your risk, responding to an audit, reporting a breach, or taking corrective actions in any of the states where we practice, reach out to us for a consultation.

This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader and should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.