While we do not know the exact nature and scope of the imminent HIPAA audits, we do know that HIPAA compliance and the verification of compliance (the audit) can be a very daunting process that mandates a great deal of preparation and organization. Beyond getting legally compliant, HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate this compliance should they find an OCR investigator knocking at the door.

We have asked Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC (CSA2) to discuss how certain applications can facilitate the response to a HIPAA audit, including minimizing the time staff needs to be involved. The following is an excerpt from Alan’s discussion of this issue:

For many health care providers and other covered entities, compliance with HIPAA and other data privacy and security requirements is a multifaceted and ongoing process of assessing changing risks, policy development and implementation across various departments, conducting and tracking training of workforce members, monitoring compliance, managing vendors and vendor agreements, responding the customer complaints and so on. When an OCR auditor is on the doorstep, pulling evidence of all of these efforts together would likely sap an already thin workforce of most covered entities. When various segments of the covered entity are not coordinated, the files are incomplete, and the persons leading the effort are in disarray, the auditor is likely to suspect there are substantial deficiencies and adjust the audit accordingly.

It is not difficult to imagine the Privacy Officer having to go from department to department asking, among other things:

  • Where are the current policies and procedures for your department concerning privacy and security?

  • Would you please send me the training sign-in sheets for your group? Why was that group not trained?

  • Where are the signed copies of the business associate agreements? Is this all of them?

  • Where can I find a copy of the risk assessment for your department? Is it updated?

  • How was that complaint resolved? Were there any others?

  • Do you have all of the documents for the data breach that affected the radiology department?

  • Can you send me your evaluation logs and what changes you have made based upon those efforts?

It is also not difficult to imagine how much easier this process would be if the covered entity’s compliance efforts were tracked, maintained and documented in a single environment. An environment that would, for example

  • Allow different departments/groups to log on an update their compliance efforts,

  • Secure email notification/reminders for maintenance to update all required analysis, training, network architecture diagrams, etc.,

  • Digital repository for all required employee affidavits, training sign-in sheets and managed with email notification for maintenance and updating,

  • Maintain and track policy changes via secure email notification/reminders to all departments and employees from Privacy Officer or legal counsel,

  • Track and document responses to patient complaints,

  • Digitize interactive system for updating and obtaining required commentary from all required departments and Business Associates to establish and audit trail for creating “defensible position” to regulators.

  • Centralize administration for permissions to all employees, advisors or Business Associates access to read only, print, edit, etc., with watermark capabilities on all printed and viewed documents.

  • Centralize reporting dashboard status of all projects as well as the ability to digitally feed approved 3rd party software analytic results for centralized viewing to permission based participants with email notification of updates.

  • Prepare for post-breach requirements in a pre-breach environment allowing reduction in costs of time sensitive response.

Such a tool also could be designed to permit the auditor limited access to conduct the audit with less effort on the part of the privacy officer or his or her staff. While certainly not required under HIPAA, organizing compliance in this way would simplify the compliance process and put the covered entity in a much better position to survive an OCR audit with minimal effort.