Preempt potential privacy violations with these 8 tips
Civil money penalty for violating HIPAA: $100 minimum; criminal sanctions for misusing or disclosing protected health information: $50,000 minimum; preventing HIPAA violations before they occur: priceless.
Performing regular internal audits of your HIPAA compliance program is essential to your office's continued regulatory success. Audits not only reveal how far along your office's compliance efforts are in the big picture, but they can target specific areas for improvement. Here are some tips on getting started:
INDIVIDUALIZE YOUR PROCESS
What standards for regulatory quality are most valuable for your office? Your compliance officer will best know how to answer that question. And after you come up with the quality standards you want to see, be sure to document your policies and goals so they can be easily accessed the next time you conduct an audit.
MIX AND MATCH AUDITORS
However you set up your auditing control, don't have a member of one department audit the same department, advises Kathy LePar, senior consultant with Norwall, MA-based Beacon Partners. For example, "it's not a wise choice to have radiology audit radiology - or to have managers auditing their own departments - because then things will be skewed, so it's very important to spread this out," warns LePar.
TARGET YOUR STANDARDS
After you come up with your standards and perform your gap analysis, LePar advises facilities to devise a process in which you target your quality standards individually - not all at once. That way, not only can you audit a particular trouble-zone, but also you can more easily implement changes.
DIVIDE ADN CONQUER
By dividing your standards into several sections, they'll be easier to pick apart and correct, says LePar. After you section off each of your standards, she advises facilities to audit the entire facility with that particular standard. That entails conducting interviews with employees, performing walkthroughs of your facility and carefully scrutinizing documents that were produced for HIPAA compliance, including your policies and procedures and even some systems. For example, for a notice of privacy practices document, "you'd be looking at that document as well as the system to track if [patients] have received that notice, and how your facility is tracking that."
FACILITATE CULTURE CHANGE
If, after you perform your audit, you determine that certain employees aren't performing their jobs correctly with respect to HIPAA, be sure to train them with respect to your facility's policies. LePar says oftentimes an employee who isn't doing something right does so because he has done it over and over to the extent that the task has become part of his culture. If mistakes are brought to employees' attention again and again, gradually "they'll change their culture," claims LePar.
MAKE FREQUENT AUDITS
While you don't have to perform an internal audit each quarter, make sure you do them at least annually, recommends Patricia Johnston, a consultant with Texas Health Resources in Arlington. Yet, for higher risk areas - for instance, operating rooms or emergency departments - and places where the rate of activity increases - Johnston recommends doing audits more often, such as on a quarterly basis. "Of course, if you've found a problem area, then you really want to do it more often than that to get things really ironed out."
DOCUMENT YOUR RESULTS
After you've conducted your audit and you've determined where your positives and negatives are, your auditors need to document the results and give them to the heads of the various departments that were audited. Once that's done, write up a corrective and preventative action request. The corrective/preventative action request (see sample, p. 3) is part of your audit documentation, and it's intended to help you make improvements in your department. You should give this document to the department head - or whichever responsible party you choose - to determine how or why a quality standard was missed. That person then needs to suggest and implement changes to ensure that the act of non-compliance doesn't recur.
DON'T REPEAT HISTORY
If your auditors are ignorant of the last audit's compliance goofs, they're doomed to miss them during the next audit. Before you conduct your next audit, each auditor must examine all of the corrective or preventative actions taken in a particular department so that they know whether any activity has been done to prevent further non-compliance, says LePar.