Any covered entity under HIPAA has spent the last five years or so scrambling to put together a HIPAA policy. A policy is not enough, and you need to actually implement it. You could be audited! This guide will provide general suggestions on what you need to have ready for a security audit.
1
Why you should be worried about a HIPAA audit
Recently, the Center for Medicaid Services ("CMS" which is an arm under Department of Health and Human Services) sent out a bulletin that threatens random HIPAA audits of covered entities, which will target healthcare providers, insurers, and employers which use self-administered health insurance plans. These audits could be conducted by the U.S. Office of the Inspector General (OIG) or private auditors contracted to carry out the audits by CMS. The authority for these audits is found at 45 C.F.R. 160.300-160.316.
2
What you need to do to be ready
As a part of this warning, CMS provided a checklist of the type of information that an auditor will demand from the covered entity. I recommend that you review your HIPAA policies and, if feasible, make sure that the procedures and protocols suggested by the audit checklist are implemented. The checklist is located in the link below.
3
Comments
The checklist provides us with a clue as to what may be asked for by an auditor. While HIPAA regulations may not require the actual implementation of each item in this list depending on the nature of the covered entity, to be safe, it is my recommendation that each of the listed items be addressed to determine if the security measure is feasible, and if so, then implement it. You need to document your analysis and know what measures are mandatory and what are addressable under the regulations.
4
Additional recommendations
1. Conduct an analysis of what “addressable” items listed in the checklist have not been included in your policy, and then, in working with your IT department, generate the necessary documentation to support a conclusion that the item is either feasible or infeasible.
2. You need to have a companion records management and retention policy, and incorporate this (or at least cross reference it) within the HIPAA policy.
3. Review Business Associate Agreements and Third Party Administrator Agreements to ensure the items referenced in the checklist are addressed.
5
What is a covered entity?
Use the CMS chart in the link below to see if your company qualifies as a covered entity.
Comments - add comment