How to survive a HIPAA audit

The following is an excerpt from an article published in the FierceHealthIT's eBook "Privacy & Security Audits: How to Prepare and Ensure Compliance." Download the eBook here to read more.

By Annette M. Boyle

No hospital compliance officer wants to start the day with a text like the one Brett Short received. Short is the chief compliance officer at the University of Kentucky HealthCare in Lexington, Kentucky, which runs three hospitals and more than 80 clinics. He was scanning the Office of Civil Rights' (OCR) listserv when he received a text from the healthcare system's privacy officer. She had just taken a call from an auditor with KPMG, a government contractor for the first round of HIPAA audits, who asked: "Did you get our letter? The ten days are up tomorrow and we haven't heard from you regarding the audit."

FierceHealthIT spoke with Short to learn what happened next, the lessons he learned from the audit experience and what changes are in store for the next round of OCR's Health Information Portability & Accountability Act audits.

FierceHealthIT: You didn't learn that you were being audited until the deadline to submit documents was around the corner. How did you get everything together so quickly?

Brett Short: We explained that we never received the audit letter and that there are 30,000 people at the email address they used to contact us. So they gave us a few extra days. We put a lot of resources into assembling the documents.

Primarily, though, we were able to respond fast enough because we check ourselves regularly. We review the standards that we have to adhere to and make sure our policies and procedures are up-to-date and our security practices reflect our current risks. And we document everything.

FHIT: What happened during the audit?

Short: The information on the OCR site about the HIPAA audits is very accurate and the auditors did an excellent job of communicating their expectations at the beginning of the process and during periodic meetings when we discussed their findings. They reviewed the documentation requested, looked at our policies and procedures, interviewed officials, observed our activities and documented the findings.

We expected all that. But after the privacy and security assessments by separate teams, we got a surprise--a multi-page letter asking us about our anti-fraud efforts.

So we had to explain our risk assessment for fraud and the procedures we use to identify, respond to and educate employees about fraud.

FHIT: What lessons did you learn and what did you change as a result of your experience with this audit?

Short: My staff makes fun of me for having binders for everything, but if auditors knock on the door, I want to be able to give them the information they need in 15 minutes. We compile monthly reports with different data elements and pull those together quarterly, along with effectiveness metrics, to identify trends. If we see an emerging risk, we address it right away.

To read the rest of this and other articles, download FierceHealthIT's free eBook,"Privacy & Security Audits: How to Prepare and Ensure Compliance."

Suggested Articles

Healthcare software company Phreesia closed its first day of trading as a public company Thursday about 40% above its set price.

The announcement comes on the heels of the Trump administration's effort aimed at kidney care that includes expanding access to in-home dialysis.

Technology company Philips has acquired Boston-based startup Medumo, the developer of patient navigation and engagement solutions.