Do now: Set up in-house audit team
HIPAA Regulatory Alert
Do now: Set up in-house audit team
A well-prepared team that understands roles and responsibilities when a notice of a HIPAA compliance audit is received is essential for every organization and should be established long before a notice is received, suggests Chris Apgar, CISSP, president of Apgar & Associates, a Portland, OR-based consulting firm. Educate them about the purpose of the audit, and give each person specific responsibilities, he says.
"Define who the caretakers of the auditors will be when they are onsite, and make sure they understand their role in the audit," Apgar says.
One way to test your documentation index and the effects of your audit team's education is to conduct a "fire drill," recommends Adam Greene, partner at Davis Wright Tremaine, Washington, DC. Deliver a mock audit notice to the administrative offices. If plans go well, the chief executive officer is immediately notified that the letter has arrived and requests for information are disseminated quickly. "Making sure the letter doesn't sit unopened on someone's desk is important," Greene points out.
Set a deadline of gathering all requested documents in 6-7 days from the date of the notice so you have time to identify missing items.
In addition to testing your ability to respond to the audit notice in 10 days, conduct a mock HIPAA compliance audit throughout your organization, suggests Apgar. Don't focus only on policies and procedures, or the information technology department, he says. "Auditors are likely to walk throughout your facility, in multiple departments, so take your own walk through the hospital," he says. "Look for shared computers that have passwords on notes taped to the monitor or screens that can be easily read by members of the public," he says.
Mac McMillan, chief executive officer of CynergisTek, an information technology security consulting company, says, "Make sure all employees understand your privacy and security policies and the purpose of the audit. The greatest risk in a HIPAA compliance audit is not your information technology staff; it is other employees."
A well-prepared team that understands roles and responsibilities when a notice of a HIPAA compliance audit is received is essential for every organization and should be established long before a notice is received, suggests Chris Apgar, CISSP, president of Apgar & Associates, a Portland, OR-based consulting firm. Educate them about the purpose of the audit, and give each person specific responsibilities, he says.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.