Execs' HIPAA audit mantra: Prepare and communicate


Getting ready for and responding to HIPAA audits can be a daunting task for many hospitals and health systems, but a panel of security and privacy professionals have two words of advice: Prepare and communicate.

Everyone should know what expectations are, whether they’re in the organization’s workforce or a business associate, Janelle Burns, corporate privacy and security officer at Baptist Memorial Health Care, said during the 25th National HIPAA Summit on Thursday.

RELATED: HHS OCR anticipates additional guidance on patients' rights to access health data

Organizations must continually “shake the trees” and make sure nothing is left uncovered, added Deidre Rodriguez, director of the corporate privacy office at Anthem.

“The more that you try to prepare for this and the more people that you talk to, the more question you ask--information will pop up that you never even knew,” she said.

Burns, herself, now has firsthand experience of what it’s like to be selected for an audit, as her organization was among those selected by the HHS Office for Civil Rights this year. She said one Friday she went to lunch and when she came back, there were 55 emails in her inbox from OCR.

“I about fell out of my chair,” she said. However, they did receive a lot of duplicate emails, which when taken out reduced it down to 32 of entities receiving contact verification.

“With 32 I thought that there might be a chance that we could be selected, and we ultimately did have one of our hospitals that was selected for the privacy breach notification audited,” Burns said.

While OCR's questions were straightforward, she said, the biggest challenge was for the sampling. Burns said they were asked for the first five and last five access requests for 2015. While the last five were easy to gather, the first five proved more difficult because those were on an older system in which searching by date was much harder.

Ways in which some of the other organizations represented on the panel said they are preparing for potential audits included creation of a crosswalk between HIPAA and their organizations’ current policies.

Deborah Yano-Fong, chief privacy officer at the University of California San Francisco, called UCSF’s crosswalk a “living document.” It’s continually updated, she said, and an evolving process.

Glitches happen and privacy aspects might change that the privacy office doesn’t hear about, which makes having a living document that can constantly close gaps all the more important, Yano-Fong said.

For example, she said, it helped UCSF realize that its notice of privacy practice had been moved off the front page of its website.

In addition to a crosswalk document like UCSF’s, Rodriguez said Anthem created an audit playbook that contains everything anyone at the organization would need to know--down to who would get the auditors their badges to tips for employees who may be interviewed.

She also emphasized the importance of mock audits as a way to practice, prepare as well as reduce stress and anxiety of employees.