Preparing some documents beforehand will make your HIPAA audit much more pleasant.
Check out the infographic here.
|By: Brand Barney|
The OCR has scheduled you for a HIPAA audit, and you’re panicking. What do you do? How can you prepare?
Believe it or not, HIPAA auditors are not your enemy; they want to help you make your organization more secure for your workforce members and your patients. But if you aren’t prepared for the audit, it can quickly become your worst nightmare.
See Also: HHS HIPAA Audit Requirements
Why did you get audited?
- At random: the OCR conducts random audits on organizations to see how healthcare entities are doing with HIPAA compliance
- Complaints: A customer, or even an employee can file a complaint with the HHS, which may lead to an audit.
- Self-reported breach: If you have had a breach, you have a much higher chance of being audited.
Have documentation readyThis is probably one of the most important things to prepare for your audit. Having the proper documentation ready will make your audit go much faster and help you avoid costly penalties.
You’ll want to have the following documents available for your audit:Workforce member training documents
Your workforce members are among your weakest links in your organization, so you should be devoting more time to training. And this training should all be written down.
Have things like employee manuals and policies ready for your auditors to see how your workforce understands HIPAA. The OCR will audit your workforce members to see if they actually know that information, so make sure your staff members are up-to-date with the information in training materials.
See Also: HIPAA Training Video: Essential Healthcare Compliance Training
Security Policies and Procedures:
Just like your organization needs security policies, you need to have them documented. These may include:
- Incident response policies
- Business continuity policy
- Firewall policies
- Physical security policy
- HIPAA Privacy and Security Rule policies
Risk analysis and Risk management documents
These documents are required by HIPAA. A risk analysis finds potential security risks present in your organization, and a risk management plan addresses how you plan to handle these risks.
Having these documents shows your auditor you’re actually fulfilling the HIPAA requirements, you understand what risks may be present in your organization, and how you’re handling potential security issues.
Conduct internal auditsConducting audits within your organization can help you find resolvable problems in your security before your audit. It’s best to do these audits periodically to find new issues that may appear.
I always advise entities to engage a third party security expert to help with conducting a proper security assessment. A security assessor will have experience in HIPAA (and many other security mandates) and will be able to see your organization from an external view (which is what malicious attackers are doing).
Talk to a third party security expert!
Prepare yourself properlyHIPAA audits can be difficult for both the auditors and the organization involved, but taking the proper steps to prepare yourself will help your audit become less of a headache.
Remember, the point of an audit is to help your organization become more secure, protecting you, your workforce members, and ultimately your patients.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.
Need help getting ready for a HIPAA audit? Check out the infographic below, 5 Documents to Prepare for an Audit, to see what you can do to make your audit go more smoothly.