Follow this checklist to be prepared before the audit letter arrives.
As HIPAA audit frequency ramps up, it’s more important than ever for physicians and practices to be prepared for the inevitable visit. Use this checklist to get all your documents in place now – and save yourself from scrambling to collect everything at the last minute.
Auditors can ask for information that falls into four categories: HIPAA security, technical safeguards, HIPAA privacy, and HITECH. Here’s the specific documentation that auditors can ask for, according to an issue brief by Susan A. Miller, JD of Malvern, PA-based Malvern Group Incorporated.
HIPAA Security
o Access control
Technical Safeguards:
HIPAA Privacy
o Use and Disclosure
o Deceased individuals
HITECH
Source: Susan A. Miller, JD, Malvern Group: “Issue Brief: OCR Audit Documentation Requests — What We Know Now.” www.malverngroup.com/uploads/OCR_Audit_Document_Request_Brief_20120424_v_2.pdf.
o Data protection
o Acceptable use
o Workstation security
o Workforce/HR security
o Sanction procedures
o Rights to Request Privacy Information
o Right to Request Privacy Protection of PHI
o Access of Individuals to PHI
o Denial of Access to PHI procedures
o Amendment of PHI
o Accounting of Disclosures of PHI
o Administrative Requirements
o Transition Provisions
o Personal representatives
o Confidential communication
o Business associate contract requirements
o Health Plan documentation requirements
o Treatment, payment, and/or operation
o Consent and authorization requirements
o Judicial or administrative proceeding requirements
o Research requirements
o Approval or waiver requirements
o De-identification/re-identification of PHI procedures
o Restriction of PHI
o Minimum necessary requirements
o Limited information provided for fundraising purposes
o Healthcare underwriting requirements
o Identity verification procedures of individuals requesting PHI.