The pre-audit surveys for the Office of Civil Rights’ (OCR) Phase 2 HIPAA audits are already being sent out to healthcare providers and their business associates. If you’re one of the 800 organizations that receives a survey, you might be selected for an audit.
The stakes are high. On one hand, only 350 organizations will be audited, which, in the grand scheme of things, is not very many. However, those 350 organizations need to be keenly aware of HIPAA compliance rules, especially when it comes to security and privacy, on which this phase of the audits will focus. Being found non-compliant can result in enormous fines, harm to your patients, and irreparable damage to your business. And, of course, the 350 organizations will be selected randomly, so until they are, everyone needs to be on guard.
So what can you do to prepare for the audits and make sure that if you are selected, things go smoothly?
The OCR is focusing on areas of “heightened risk,” identified as particularly problematic in Phase 1. These include risk assessment, individuals’ right to access PHI, notice of privacy practices, breach notification, and encryption, among others.
Here are five steps you can take to make things easier on your organization and on the auditors in case the OCR comes calling.
- Review your security policies. Conduct a thorough review of your security policies and procedures, taking care to clearly document your HIPAA program. Security plays a large role here, and so does encryption. Know how users are accessing your files, and take all ePHI protocols into account, which means knowing how electronic patient files are stored, synced, and shared, both within your organization and with third parties like patients, pharmacies, insurance companies, lawyers, and others. If you’re using Sookasa to encrypt your files in the cloud, you shouldn’t have any trouble on that score, because Sookasa’s file-level encryption ensures that information remains protected wherever your data resides. This means that your patients’ information is only accessible to authorized parties and won’t be compromised, even in the event of a data breach on your cloud provider’s network.
- Update, update, update! Consider your policies for data breach mitigation, terminated employee access, new employee training, access to PHI, file-sharing procedures, notice of privacy practices, disaster recovery, or data backup. If any of these policies are out of date, or not reflective of the current working environment—which may have changed dramatically due to the encroachment of BYOD and other new technologies—change that ASAP. This is, of course, a good thing to do even if you’re not being audited, but if you are, it’s crucial.
- Examine your electronic files. Determine what’s been encrypted and what hasn’t. Hopefully, you’re already encrypting everything that touches sensitive patient data. But if you’re not, make sure you’re able to identify which files have not yet been encrypted. If you can make the change before the audit, do it—Sookasa can help with that, too. Encryption may sound daunting, but it doesn’t have to be a complicated—or disruptive— process. In fact, it’s imperative that it’s easy and seamless so that employees don’t seek unsafe workarounds.
- Assess your risks. In Phase 1, two-thirds of the audited organizations had no complete and accurate risk assessment for the HIPAA Security Rule, so Phase 2 will likely hone in on this area. To prepare, conduct an inventory of all of your organization’s systems that handle ePHI, and implement remediation activities where necessary. It doesn’t hurt to have someone come in to do a third-party HIPAA risk assessment, just so you can be completely confident in what tasks remain to be tackled. This is a good practice for every healthcare organization—not only those that will fall under the scrutiny of the OCR.
- Make a list of your business associates. This may seem simple, but it’s essential to know just who else has access to your organization’s PHI—and the OCR will certainly ask for this. The people who work behind the scenes—such as attorneys, accountants, or tech companies providing data storage—are essential to your operations, but they’re often the weakest link when it comes to security. More than 20 percent of data breaches are attributed to business associates, who inadvertently release thousands of patient records often due to hacking or unauthorized access. Only recently did the OCR determine that business associates must also comply with HIPAA, so the business associates you currently work with may also be subjected to audits.