As the HIPAA compliance audit program draws near, healthcare organizations must take five steps to prepare, compliance specialist Bob Chaput urges.
When auditors arrive, Chaput says, they'll evaluate both technical and non-technical safeguards. "At one end of the continuum they're going to want evidence and documentation that there's a vibrant and active privacy and security governance committee in place ... And on the other end, they're going to look at very, very specific technical controls and safeguards ..." he predicts.
In an interview with HealthcareInfoSecurity's Howard Anderson (transcript below), Chaput spells out five key HIPAA audit preparation steps:
- Formally establish and charter a privacy and security risk management council.
- Complete an updated evaluation of technical and nontechnical safeguards for protected health information.
- Conduct a timely Risk Analysis addressing all threats and vulnerabilities.
- Complete an assessment of compliance with the HIPAA privacy rule. That includes demonstrating that all appropriate policies, procedures and training are in place and that business associate agreements address all necessary privacy issues.
- Document and act upon a corrective action plan, based on a risk assessment, to ensure compliance with the HIPAA security and privacy rule as well as the breach notification rule within HIPAA, and also to demonstrate overall risk management.
The Department of Health and Human Services' Office for Civil Rights recently hired KPMG to conduct up to 150 HIPAA compliance audits by the end of 2012 (see: HIPAA Compliance Audits Described). Chaput predicts that auditors will request extensive documentation, including: a risk analysis; privacy and security policies and procedures; sanctions for violating policies; breach notification procedures; training materials and evidence training has actually taken place.
Chaput is president of Clearwater Compliance LLC, a privacy and security consulting firm that helps covered entities and business associates comply with HIPAA and the HITECH Act.
Reprinted with the Permission of Clearwater Compliance