The mere prospect of a HIPAA audit can be intimidating—there are almost 200 questions in a full audit. Yet the reality is that most organizations fail the audit in the first few questions.
Antonio Stroman of Axis Cloud Sync made a short list recently of 10 questions that management should review as a quick self-test. The results are a good indication of whether the organization has a chance to pass a HIPAA audit or is already in violation.
What we found striking about the list is the consistent requirement for policies and procedures, either explicit or implicit, in each of these questions. Policies and procedures are the foundation of effective and compliant operations and the starting point for passing HIPAA audits.
Take for example the first question on his list. It asks if the organization has policies and practices that support an accurate assessment of risk. To answer ‘yes’, an organization really must also carefully manage their policies in order to ensure that the policies are understood and easily accessible when needed.
Question 4 expands on this idea to specifically confirm that policies are formal and cover the spectrum of incident identification, response, reporting, and mitigation. Further, question 3 requires that a named individual be responsive for policies and procedures.
All of the other questions in the short self-test depend on policies and procedures as well—for disaster recovery, technology management, business continuity and so on. Clearly, policy and procedure management is integral to HIPAA compliance.
Policies & Procedures Management
If you want employees to follow specific guidelines, you need to document them. Policies and procedures define how the organization operates and how specific tasks must be performed.
Once policies and procedures are defined, they must be managed to ensure that all employees have access to them. They must be controlled, so that updates are recorded and acknowledged by all affected workers. They must be pushed out and also available for instant retrieval and review.
The good news is that policy and procedure management is readily available and affordable. TotalCompliance provides a secure portal for instant access by authorized employees with zero IT infrastructure at your location, making it easy to get started and grow as needed.
Don’t risk HIPAA audit failure because of shortcomings in policy and procedure management.
Here is the original blog:
Top 10 Questions Most Organizations Fail During a HIPAA Audit
by Antonio Stroman Axis Cloud Sync
Forget about a full blown HIPAA audit with over 192 questions for covered entities (CE’s), most organizations fail and are considered out of compliance within the first 10 questions. HIPAA in the past few years has become the latest 5 letter bad word in the healthcare industry. With confusing terminology and enormous fines, non-compliance can be more than a financial setback, you could end up in prison. So how does your organization stack up? We’ve included 10 questions from the HIPAA Security Rule for you to perform a partial self-audit and see for yourself.
10 Questions from the HIPAA Security Rule
|Section||Key Activity||Audit Procedures||Implementation||Your Answer|
|§164.308||Conduct Risk Assessment||Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.||Required||YES/NO|
|§164.308||Implement a Risk Management Program||Inquire of management as to whether current security measures are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).||Required||YES/NO|
|§164.308||Select a Security Official To Be Assigned Responsibility for HIPAA Security||Inquire of management as to whether the organization has assigned responsibility for the HIPAA security to a Security Official to oversee the development, implementation, monitoring, and communication of security policies and procedures.||Required||YES/NO|
|§164.308||Develop and Implement Procedures to Respond to and Report Security Incidents||Inquire of management as to whether there are formal or informal policies and/or procedures in place for identifying, responding to, reporting, and mitigating security incidents.||Required||YES/NO|
|§164.308||Develop Contingency Planning Policy||Inquire of management as to whether a formal contingency plan with defined objectives exists.||Required||YES/NO|
|§164.308||Data Backup Plan and Disaster Recovery Plan||Inquire of management as to whether disaster recovery and data backup plans exist to restore any lost data.||Required||YES/NO|
|§164.308||Encryption and Decryption||Inquire of management as to whether an encryption mechanism is in place to protect ePHI.||Addressable||YES/NO|
|§164.308||Implement Methods for Final Disposal of ePHI||Inquire of management as to how the disposal of hardware, software, and ePHI data is managed.||Required||YES/NO|
|§164.308||Develop and Implement an Emergency Mode Operation Plan||Inquire of management as to whether policy and procedures exist to enable the continuation of critical business processes that protect the security of ePHI while operating in emergency mode.||Required||YES/NO|
|§164.308||Develop Recovery Strategy||Inquire of management as to whether procedures exist for recovering documents from emergency or disastrous events.||Required||YES/NO|
If you were able to answer yes to each one of these questions, congratulations you’re well on your way to being compliant with the latest changes in the HIPAA laws but if you answered no to just one of these questions, then your organization is considered out of compliance and could possibly face fines of up to $1.5 million and possible jail time. If you noticed, each one of the questions by the auditors is addressed to management and it’s critical that HIPAA compliance becomes a top priority within your organization.