To make sure your organization is prepared at all times for any HIPAA audit or investigation, keep risk assessment documentation and other compliance evidence in a central location, recommended Mark Dill, director of information security at Cleveland Clinic in an interview with HealthcareInfoSecurity.
Dill said his group wants to be prepared if at any time they are faced with an audit from the U.S. Department of Health & Human Services' Office of Civil Rights.
"We're choosing to be proactive and have our documentation in a relatively ready state," Dill told HealthcareInfoSecurity. "We've heard stories of early audits where boxes of paper were thrown at a regulator, and that will just annoy [HHS], which pays a large percentage of the revenue of many hospitals and providers."
"You have an opportunity to develop a book of evidence ... that's the way to address the problem," Dill added. He also suggests these five tips:
- Know what gaps are in your program in advance. The worst time to find out about problems are at the time of the audit, Dill said.
- Be organized. If you look disorganized, HHS will think you are disorganized, Dill said. In addition, you will be able to prevent an on-site audit if your documentation is of the highest quality.
- Display your results in the right format. Dill suggested using the OCR recommended format (800-30); Cleveland Clinic, he said, uses "an improved format based on the standard."
- Use three-year benchmarks as "tabs in your book of evidence" for compliance and formal, organization-wide analysis. He suggests keeping a written calendar and schedule of business impact analysis.
- Partner with a reputable third-party consultant or firm. "Third party attestation can reveal at least 30 percent about what you don't know, and peer comparisons give you a really clear picture," Dill said.
Such initiatives, Dill said, will make your organization appear more organized and compliant. "You can demonstrate a holistic, maturing, continuous, not ad-hoc, self-initiated program," he said.
Starting Oct. 1, 2014, a permanent HIPAA security audit program will begin, according to OCR officials.
After the new HIPAA omnibus rule was published In January, several FierceHealthIT Editorial Advisory Board members noted that its execution will present a multitude of challenges.
To learn more:
- read/listen to the interview in HealthcareInfoSecurity