What to Expect When the HIPAA Auditors Arrive?
You think it’s an average, ordinary day and sit back as you go through the mail. You pull an envelope
out of the pile, read the return address and suddenly sit up straight. You already know the contents of
what is inside and your heart rate increases as you carefully slit open the top. Despite telling yourself you
could be wrong as you remove the letter, you discover you are not. It is the dreaded OCR audit
notification letter. Cue the panic.
When this letter arrives, there’s no need to hear the theme from “Jaws” in you head. If you ensure you
have made a good faith effort to comply with the HIPAA / HITECH requirements based on the final
Omnibus rule, and have documented this as policy mandates, you can breath easier, and when the audit
occurs you will not feel as if you are in shark infested waters.
Preparing for the Audit
While preparing for the audit the first thing to do is to go to the OCR website which details the steps of
the new HITECH compliance regulations, formalized by the OMNIBUS rule. It also provides a timeline to
help you stay on track as you prepare.
Staff training and documentation of training is a key component of HIPAA audits. Make sure your staff is
fully trained regarding federal, state and organizational privacy and security regulations as well as your
organization’s policies and procedures. Training should also include potential security risks, such
protecting ePHI for malicious computer attacks and how to handle a potential breach. Refresher training
should be conducted regularly and if you haven’t done so to this point, schedule a refresher training
before the audit date or at least have one on the calendar.
Be sure to check your compliance software system to ensure it has been updated to the most recent
version. Also do a review of the market to determine if new software programs may have additional
features that would improve your ability to remain HIPAA compliant.
What to Expect During the Audit
There are certain documents related to policies and procedures that HIPAA auditors will be looking for in
all covered entities. Additionally, they will want to interview employees regarding their knowledge of
HIPAA compliance within the organization and key personnel whom they will also expect to be able to
demonstrate functions of the organization’s compliance system.
They will examine all documentation of your organization’s security and privacy compliance efforts. In
addition to appropriate staff training, they will look for documentation of appropriate safeguards that have
been put in place or actions that will be taken to protect ePHI from potential threats and risks.
Required and Supplemental Documentation
There are a number of specific documents that HIPAA auditors will want to examine. It is always prudent
to document everything related to a HIPAA compliance issue and keep this additional information
organized to display the company-wide commitment to maintaining compliance. Relevant documents to
have available include:
Risk Analysis Related Documentation- It’s a good idea to hold meetings after conducting a risk
analysis to discuss the results and plan any corrective action that is necessary. Each task should be
assigned to a specific individual or team and each should be clear on what action they need to take.
Keep minutes of these meetings, listing main discussion points, problems identified, the plan of action for
each problem and personnel assignments.
Each individual or team should document what they did to fix their problem, and if the risk could not be
entirely eliminated, explain how the solution reduced the risk to a reasonable level. For each completed
correction, the procedures and policies must be updated. Complete progress reports for each task that
has not been completed in time for the audit.
You do not need to show that you have fully remediated everything identified in the risk assessment, but
you must demonstrate awareness of each risk or threat and have a documented plan to address each
one. It should be clear in the documents which problems have been fixed along with the updated policy
or procedure that has been put into place, and which problems are still in need of remediation with a clear
plan and deadline for each problem that is currently unresolved.
Create a packet with the risk analysis, minutes, report on completed tasks, updated policies and
procedures and progress reports on incomplete tasks. This will provide auditors with a good idea of how
your organization assesses and mitigates risk, and the comprehensive documentation will show you are
committed to maintaining HIPAA / HITECH compliance.
Contracts and Documentation Related to Business Associates and Subcontractors - Auditors will
want to examine all contracts between the covered entity and third party associates to make sure they
include the required components. They will also want to see documentation that these parties are
following the physical, technical and administrative safeguards required in the HIPAA security rule.
The Compliancy Group LLC.
55 Broadway Unit 684
Greenlawn, NY 11740
Contact No:855 854 4722