Health Information Compliance Alert

COMPLIANCE STRATEGY:

Preempt Potential Privacy Violations With These 8 Tips

Perform regular audits before the feds audit you.

Regularly auditing your HIPAA compliance program is essential to your office's continued regulatory success. Audits not only reveal how far along your office's compliance efforts are in the big picture, but they can target specific areas for improvement. Here are eight tips to help you get started:

1. Individualize Your Process

What standards for regulatory quality are most valuable for your office? Your compliance officer will best know how to answer that question. And after you come up with the quality standards you want to see, be sure to document your policies and goals so they can be easily accessed the next time you conduct an audit.

2. Mix And Match Auditors

However you set up your auditing control, don't have a member of one department audit the same department, advises Kathy LePar, senior consultant with Norwall, MA-based Beacon Partners. For example, "it's not a wise choice to have radiology audit radiology -- or to have managers auditing their own departments -- because then things will be skewed, so it's very important to spread this out," warns LePar. 
 
3. Target Your Standards

After you come up with your standards and perform your gap analysis, LePar advises facilities to devise a process in which you target your quality standards individually -- not all at once. That way, not only can you audit a particular trouble-zone, but also you can more easily implement changes.

4. Divide And Conquer

By dividing your standards into several sections, they'll be easier to pick apart and correct, says LePar. After you section off each of your standards, she advises facilities to audit the entire facility with that particular standard.

Practical application: That entails conducting interviews with employees, performing walkthroughs of your facility and carefully scrutinizing documents that were produced for HIPAA compliance, including your policies and procedures and even some systems. For example, for a notice of privacy practices document, "you'd be looking at that document as well as the system to track if [patients] have received that notice, and how your facility is tracking that."

5. Facilitate Culture Change

If, after you perform your audit, you determine that certain employees aren't performing their jobs correctly with respect to HIPAA, be sure to train them on your facility's policies. LePar says oftentimes an employee who isn't doing something right does so because he has done it over and over so that the task has become part of his culture. If mistakes are brought to employees' attention again and again, gradually "they'll change their culture," claims LePar.

6. Audit At Least Annually

While you don't have to perform an internal audit each quarter, make sure you do them at least annually, recommends Patricia Johnston, a consultant with Texas Health Resources in Arlington.

For higher risk areas -- for instance, operating rooms or emergency departments and places where the rate of activity increases -- Johnston recommends doing audits more often, such as on a quarterly basis. "Of course, if you've found a problem area, then you really want to do it more often than that to get things really ironed out."

7. Document Your Results

After you've conducted your audit and you've determined where your positives and negatives are, your auditors need to document the results and give them to the heads of the various departments that were audited.

Tip: Once that's done, write up a corrective and preventative action request. The corrective/preventative action request is part of your audit documentation, and it's intended to help you make improvements in your department.

You should give this document to the department head -- or whichever responsible party you choose -- to determine how or why a quality standard was missed. That person then needs to suggest and implement changes to ensure that the act of non-compliance doesn't recur.

8. Don't Repeat History

If your auditors are ignorant of the last audit's compliance goofs, they're doomed to miss them during the next audit.

Before you conduct your next audit, each auditor must examine all of the corrective or preventative actions taken in a particular department so that they know whether any activity has been done to prevent further non-compliance, says LePar.

Editor's note: For a sample corrective action form to use in your audits,
see the article called Security Tool is this issue.