Giva Blog
Help Desk, Customer Service, Cloud & Security Insights, with a Side of Altruism!

3 Tips to Prepare for 2016 HIPAA Audits

HIPAA Audits

The U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) first began conducting HIPAA audits in 2014 and is continuing with phase two this year. The purpose of these audits is to ensure the protection of each individual's personal information. The second phase examines decryption and encryption, facility access controls, and additional high risk areas that have yet to be specified. If your company is being audited, it will receive an audit notification letter from the OCR and should plan for an estimated 30 to 90 day procedure.

With this knowledge, your company can begin to prepare for the assessments to make certain that you are ready.

  1. First and foremost, be aware of what documentation you will need to have readily available. Each covered entity being audited will be asked to provide a list of business associates. Because this information may be scattered around different countries, it will take some amount of time to gather everything that is needed and is best to begin compiling the list now. Additional documents to consider having on hand include the current risk assessment, notice of privacy practices, and incident response policies and procedures. Make sure that all documents are posted in the appropriate place, but also have extra copies on hand to provide the OCR if necessary.
  2. Second, re-familiarize yourself with the compliance program and make adjustments as necessary. The OCR contemplates whether or not your company is consistently following the HIPAA compliance program and keeping things current. One tip to display that you have been in steady compliance is to date each of your documents every time it is reviewed.
  3. Third, make sure that your employees' knowledge is kept up to date. It is one thing to have all of the documents in the right place, but it is even better to have your staff prepared in case they are asked questions. A portion of the audits are expected to be in the form of office visits, so employees must be prepared to answer any questions or provide clarification if needed.

In addition to these three suggestions, verify that your data software is up to date and that you are performing maximum effort to protect individual's information. Although it appears that a major focus will be on policies and procedures, do not forget about encryption and decryption as well as access controls. Anticipate data questions and inquiries as well; do not solely focus on policies.

The key take-away theme is to be up to date in all aspects of your company policies, software, employee training, etc. Knowing the main focuses of the phase-two audit can help you narrow where to place your attention and bring everything up to compliance standards. Keeping these three tips in mind, you can continue your journey to HIPAA compliance with confidence.