Privacy attorney: Documentation for HIPAA audits must be meticulous

With HIPAA audits this fall expected to be more narrow in focus, healthcare organizations and their business associates must ensure that their documentation is meticulous, according to Adam Green, a privacy attorney with Washington, D.C.-based law firm Davis Wright Tremaine.

Green, in a recent interview with HealthcareInfoSecurity, said that for organizations that don't, the process will be "a bit tougher" going forward, as opportunities to make explanations will be much more limited. Green previously worked for the U.S. Department of Health & Human Services Office for Civil Rights--the organization tasked with conducting the audits.

"If you're a well-organized organization, I think these desk audits will make things significantly easier," Green told HealthcareInfoSecurity. "OCR has indicated they are not going to do follow-up questions … so you want your policies and procedures to tell a good story of your compliance."

Green even went as far to say that because of the more "streamlined" nature of the second round of audits that fail to follow directions and try to share too much information could be punished.

"OCR wants to see what it's requesting--nothing more, nothing less," he said. "If they get everything, including the kitchen sink, it makes it harder for them to conduct their assessment."

Common problems from the pilot phase, such as compliance with the HIPAA breach notification rule, will be areas of particular focus in the new audits, according to a recent OCR presentation. In the pilot program, a lack of thorough risk analysis was found to be a major weakness.

OCR Director Leon Rodriguez has said the permanent program will place special emphasis on vulnerabilities that can change from year to year.

OCR in March levied its first fine against a local government for HIPAA non-compliance. Skagit County in Washington state was ordered to pay $215,000 for failing to act after a hospital's September 2011 self-reported breach compromised the electronic protected health information of close to 1,600 people served by the public health department.

For more information:
- here's the full HealthcareInfoSecurity interview