Home Health & Hospice Week

Get ahead by knowing exactly what auditors will expect.

Sure, HIPAA auditors will want you to show them a heaping mountain of documents to prove that you’re complying with the Privacy and Security rules. Instead of scrambling to amass all these documents at the last minute, prepare ahead of time with a helpful checklist. Here’s the specific documentation that auditors can ask for, according to an issue brief by attorney Susan A. Miller of Malvern, Pa.-based Malvern Group Inc.

HIPAA Security

o Security Officer contact information (name, email, phone, address, and admin contact info)

Administrative Safeguards

o Entity-Level Risk Assessment
o Organization Chart
o Information Security Policies, specifically those documenting security management practices and processes such as:

• Access control
• Data protection
• Acceptable use
• Workstation security
• Workforce/HR security
• Sanction procedures

Security Incident Management Plan

o Business Continuity/Disaster Recovery Plan
o Data backup and recovery procedures
o Physical security policies and procedures
o Data destruction and media reuse procedures

Technical Safeguards

o Encryption policies and procedures
o Management’s internal control/internal audit policies and procedures relative to monitoring IT safeguards
o System-generated user access listing of all individuals with access to systems housing ePHI
o System-generated listing of all New Hires within the past year
o User authentication policies and procedures

HIPAA Privacy

o Privacy Officer contact information (name, email, phone, address, and admin contact info)
o Privacy Policy and Notice of Privacy Practices
o Privacy practices documentation including:

• Use and Disclosure
• Rights to Request Privacy Information
• Right to Request Privacy Protection of PHI
• Access of Individuals to PHI
• Denial of Access to PHI procedures
• Amendment of PHI
• Accounting of Disclosures of PHI
• Administrative Requirements
• Transition Provisions

o Training documentation for employees over Privacy Practices and organization training policies
o Policies and procedures in place over administrative, technical and physical safeguards over all forms of PHI
o Complaint handling policies and procedures
o Population of complaints over Privacy Practices made within the past year (Complaint Log)
o Sanction and disciplinary policies and procedures over privacy violations
o Mitigation and disciplinary policies and procedures for when a breach occurs
o Anti-intimidation/anti-retaliation policies and procedures
o Policies and procedures over Uses and Disclosures of PHI, including:

• Deceased individuals
• Personal representatives
• Confidential communication
• Business associate contract requirements
• Health Plan documentation requirements
• Treatment, payment, and/or operation
• Consent and authorization requirements
• Judicial or administrative proceeding requirements
• Research requirements
• Approval or waiver requirements
• De-identification/re-identification of PHI procedures
• Restriction of PHI
• Minimum necessary requirements
• Limited information provided for fundraising purposes
• Healthcare underwriting requirements
• Identity verification procedures of individuals requesting PHI.

HITECH

Breach notification processes and capabilities Entity-level risk assessment documentation

Source: Susan A. Miller, JD, Malvern Group: "Issue Brief: OCR Audit Documentation Requests — What We Know Now" www.malverngroup.com/uploads/OCR_Audit_Document_Request_Brief_20120424_v_2.pdf.