It’s one thing to prepare your organization with a solid defense against a potential privacy breach. Add in an HHS/OCR audit or investigation, and it becomes crucial that organizations take the necessary steps to comply with the HIPAA Privacy, Security, and Breach Notification rules.
Mahmood Sher-Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar and Associates, outline 10 tips for preparing for an OCR audit.
1. Learn your compliance status. This goes for both HIPAA privacy and security rules and the interim final breach notification rule. According to Sher-Jan and Apgar, every covered entity should gain a full understanding of its compliance and gaps with these rules. Conducting an evaluation or gap analysis of HIPAA privacy, security, and breach notification requirements, they said, is the logical starting point. And, don’t forget about your business associates, since they can pose a “significant risk” as well. Remember, they warned, that the HIPPA security and privacy rules have been with us for several years, and the interim final breach notification rule was effective September 2009.
2. Create a centralized management system for your documents. Current and accurate documentation that is easily accessible is key, said Sher-Jan and Apgar. It’s essential to compliance and provides protection against significant legal risk. This includes policies, procedures, risk analyses reports, training records and other related compliance activities.
3. Develop a compliance plan. Your plan should prioritize high to low risk compliance gaps and assign resources to close compliance gaps. According to Sher-Jan and Apgar, the gap analysis, defined in the first point, should be used to develop a plan of action, drive organizational alignment and allocate the resources necessary to execute the compliance action plan. Keep in mind, though, that surviving an audit or investigation is not about making sure that now gaps are found – however, said Sher-Jan and Apgar, it’s critical you demonstrate a credible remediation/action plan and evidence of execution toward bridging the gaps. In other words, you need to show a commitment to ‘culture of compliance’ and demonstrate due diligence.
4. Prepare and implement HIPAA policies and procedures. According to Sher-Jan and Apgar, organizations must have policies and procedures in place that help them protect the confidentiality, integrity, and availability of protected health information. Once again, they said, the map analysis will identify if any policies and procedures are missing or need to be updated in light of evolving regulations and use of new technologies and social media within the healthcare industry. And keep in mind, your highest security risk, they said, is people, and policies and procedures are key to mitigating that risk. You also need to demonstrate that policies, procedures, and processes followed by your organization are reviewed on a regular basis and are current, accurate, and enforceable, they advised.
5. Create an incident response plan. An incident response plan, or IRP, is a critical element in planning for compliance and protecting PHI, said Sher-Jan and Apgar. According to them, the IRP provides an overall strategy for how covered entities will react to a patient and/or security incident and comply with the federal interim breach notification rule’s burden of proof provision. They added it’s important to demonstrate you have an incident response team, plan, and procedures that will ensure a consistent and timely response to any incident. “Remember, a breach is ‘discovered’ when you know about it or should have known about it,” said Apgar. “This means if you’re not compliant, you may not know about breaches of PHI in time to meet your legal notification requirements.”
6. Train workforce members. The highest risk to any organization, they said, is people. If workforce members aren’t trained, the risk of violations and breaches of PHI significantly increases. “Organizations need to remember training is an ongoing process, and not a one-time event,” said Sher-Jan. Also, they added, training doesn’t just include “classroom training.” Instead, it needs to include training workforce members on what they’re responsible for in relation to the protection of PHI. All workforce members, they said, need to know the steps outlined in your organization’s policies and procedures before they will know that’s required of them. Lastly, they added, if you have business associated whose employees have access to PHI, they also need to be trained.
7. Conduct a risk analysis and ongoing risk management. This will help to reasonably ensure you have the policies, procedures, and practices in place to implement a robust privacy and security program and handle incidents in compliance with the interim final breach notification rule on an ongoing basis. According to Sher-Jan and Apgar, you should identify your high-risk assets and ensure that risk analysis for these assets is current. Assets should include technical and non-technical assets that are critical to your organization. This means certain critical business or clinical processes, for example, need to be included in your asset inventory. Remember, they said, that risk vectors evolve, and so should your ongoing risk management.
8. Document mitigation activity. Both Sher-Jan and Apgar agreed that one needs to demonstrate continued compliance activities of an organization, which “again, is not a ‘one time’ event.” It’s unlikely, they said, any organization can prevent all unauthorized access or exposure of PHI, but, it’s important to show you’re committed to protecting PHI. You can do this by documenting your incident discovery, response, and mitigation activities, they said.
9. Conduct periodic audits. And this isn’t just a regulatory requirement, they said – it’s an important activity to address potential privacy and security gaps, while identifying security incidents before a significant breach occurs. A proactive audit, by internal resources or qualified vendors, can be very instrumental in detecting compliance gaps and reducing risk to the organization, while avoiding the unwanted scrutiny that comes with an actual OCR audit or investigation, they said.
10. Seek assistance from knowledgeable vendors. It’s helpful to get an outside perspective and specific expertise when preparing for or conducting an audit or evaluation, they said. A knowledgeable vendor can augment your limited resources and provide the third-party credibility that can be leveraged with federal auditors.
(Reprinted from Healthcare IT News: http://www.healthcareitnews.com/news/10-tips-prepare-ocr-audit)