What Not to Say to a HIPAA Auditor
Here are Linda’s top three responses to avoid when a HIPAA auditor shows up at your doorstep:
- We’re closed for lunch. Can you come back tomorrow?
- We paid our fines last year.
- We have nothing in place; we are so glad to see you because we need your help.
There is no time like the present to prepare for a HIPAA audit. Start with the three core areas of an audit: the Privacy Rule, the Security Rule and the Breach Notification Rule. The audit protocol addresses 165 performance criteria, 77 of which focus exclusively on compliance with the Security Rule, and 88 in combination that deal with Breach Notification and Privacy Rule requirements. Evaluate your policies and procedures in these areas and be sure you are following them.
Linda Sanches, senior advisor for health information privacy at OCR (Office of Civil Rights), states that two of the biggest areas of weakness found were in entities’ failure to conduct risk analysis to identify vulnerabilities in their security programs, and to manage any risks found. In addition, the preliminary audits have uncovered many HIPAA violations, with the most problems (65%) in keeping electronic patient data secure.
Be assured even small or mid-size practice are not immune from HIPAA audits or patient complaints. If we can be of assistance (remotely or onsite) with your HIPAA assessment, don’t hesitate to call us at (904) 573-2232 or write to us at RiskTeam@LindaHarvey.net.
Read more about HIPAA audits: http://www.fierceemr.com/story/ocr-reveals-hipaa-audit-protocol/2012-06-27#ixzz267EPcdyX