Home Health & Hospice Week

Check and double-check your HIPAA policies and procedures.

The HHS Office for Civil Rights’ new phase of HIPAA audits are in full swing, so you should make sure you’ll pass them with flying colors should OCR auditors knock on your door.

During the OCR’s desk audits, the agency will be reviewing privacy policies relating to the Privacy, Security, and Breach Notification Rules, says San Francisco-based privacy attorney Diana Maier. “OCR has also said that they expect audited entities to respond to their initial request for documentation within ten business days by submitting documents electronically via their secure, online portal.

To prepare for a potential audit, I always recommend that covered entities and business associates ensure that they have written privacy policies consistent with their requirements under HIPAA.”

In addition, she recommends that her clients run the Security Risk Assessment Tool, which is available online. “This isn’t required by the HIPAA Security Rule, but it is meant to assist with a risk assessment and can be a great resource for identifying areas of vulnerability,” she advises. Maier also suggests the following steps during your audit preparation:

• If a covered entity is required to provide a notice of their privacy policy, they should make sure they have this policy in place and are distributing it appropriately.
• Business associates should review their agreements with covered entities to make sure they are doing what they said they would do.
• Covered entities and business associates should make sure that they understand those policies and are following them.

Attorney Neil Eggeson of Eggeson Appellate Services in Indianapolis offers this advice:

• During the phase one audits, the OCR found that one of the biggest deficiencies was in the area of risk assessment, Eggeson says. Providers should conduct regular security risk assessments and should be able to document the steps taken to correct security risks.
• Document an ongoing, comprehensive HIPAAcompliance program (including periodic reviews and updates of that program).
• Generate an inventory of all business associates, he adds. “All audited providers will be expected to produce a list of its business associates, so having that list ready will be helpful in preparing for a phase two audit,” Eggeson advises.
• Review all policies related to security, breach notification, and protected health information to ensure that they are up-to-date AND take into account all technologies used by the practice (e.g., cloud storage).
• Have a breach notification policy that accurately tracks the requirements found in the Breach Notification Standards, and a compliant Notice of Privacy Practices.

Although it’s never too late to tighten up your HIPAA program, chances are that if you get an audit notification today and you haven’t yet launched a privacy program, you could get zinged by an auditor, Eggeson warns.