PSIC recently hosted a series of complimentary risk management webinars. In October, Susan Lucci, RHIA, CHPS, CHDS, AHDI-F of Just Associates presented on How a Mock HIPAA Audit Can Identify Gaps in Preparedness.

Posted in Malpractice Insurance on Tuesday, November 24, 2015

PSIC recently hosted a series of complimentary risk management webinars. In October, Susan Lucci, RHIA, CHPS, CHDS, AHDI-F of Just Associates presented on How a Mock HIPAA Audit Can Identify Gaps in Preparedness. In case you missed the webinar here are a few tips, shared by Ms. Lucci, on OCR HIPAA Audits:

Preparing for the upcoming round of OCR HIPAA audits should be high on every provider’s to-do list. If you already have a compliance plan in place, this is an excellent time to review what you have, and make note of what is needed. We recommend that all providers have the following Top 5 List well underway or complete:

1. HIPAA Workforce Education:  This is a key requirement in HIPAA regulations. Workforce education training should be formalized and it is a good idea to have an assessment after to ensure learning has occurred taken.
2. Designate a Privacy and Security Officer:  Many small practices have staff who perform more than one job. It is fine for an existing team member to be assigned the duties of privacy and security officer, but ensure that adequate training and education materials are available. The person(s) assigned these responsibilities should have the oversight and responsibility to talk with patients about concerns, to develop policies and to ensure forms are developed and managed appropriately.
3. Develop Policies & Procedures:  HIPAA requires that policies be in place for privacy, security and breach notification. Many fines assessed by the OCR cite lack of policies and procedures among other issues.¹ All policies can be brief and to the point. It is best if they are located on a shared drive where all team members can access them.
4. Logging and Remediation of Security Incidents:  Every organization should have an incident report form in place. This form should capture thorough details of incident investigation, resolution and new procedures or practices that are warranted as the result of an incident. Your ability to gather and document the facts and outcome of an incident as well as the 4-step assessment of breach determination are critical to compliance with the Final Rule.²
5. Conduct Security Risk Analyses:  Create a list of all assets (ePHI); then identify risks and threats; list the controls in place; determine the potential impact; and document possible solutions to mitigate identified risks. It is important to remember that this is a foundational component of risk management. We know a simple checklist is not enough and that the OCR found this requirement severely lacking by organizations audited in the first round. A security risk analysis will be high on the list of documents they will be looking for and is your best defense against minimizing vulnerabilities both external and internal.³ 

This is not an all-inclusive list of HIPAA compliance requirements, but it highlights some of the responsibilities that can help an organization move towards HIPAA compliance. There is no substitute for being familiar with the Final Rule and taking advantage of the HIPAA audit protocol for guidance. Start today to protect your practice and your patients against the risks of a breach.

If you have additional questions, contact Susan M Lucci, RHIA, CHPS, CHDS, AHDI-F, Consultant/Chief Privacy Officer, Just Associates, Inc. at slucci@justassociates.com or 303-646-3355.

References:

1. http://www.natlawreview.com/article/cancer-care-group-to-pay-750000-to-settle-hipaa-breach-kpmg-finds-81-percent
2. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
3. http://www.hipaajournal.com/office-civil-rights-releases-hipaa-audit-results/