Let’s be real – there’s probably a few things in life we all have an“Oh, it won’t happen to me” mentality about. For many medical professionals, that may be exactly how you feel about HIPAA audits – yet HIPAA investigations are becoming more common than you might think.
While the odds of facing a totally random HIPAA audit might not be high, they increase significantly when you factor in additional investigation triggers like data breaches, cyber attacks, and patient complaints- none of which a medical practice is immune to.
Proactively preparing for anything that might be thrown your way is imperative for your practice to have the ability to handle a HIPAA audit without the consequence of a hefty violation. Here are the top 6 things you should have in place BEFORE a breach, complaint or audit investigation occurs:
1. Security Risk Analysis
The first thing the OCR looks for upon investigation is a properly documented and up to date Security Risk Analysis (SRA). This shows that you’ve assessed your practice operations and identified any vulnerabilities – BEFORE an audit occurs. While it’s the first step of HIPAA compliance, only 17% of practices audited by the OCR met this requirement.
2. Practice-Specific Policies & Procedures
Proper documentation is key for all aspects of your compliance program including your practice specific HIPAA policies and procedures. These policies and procedures serve as the guidelines for how protected health information (PHI) should be handled within your practice and the proper documentation is necessary to prove the expectations and standards you have set for your organization.
3. Disaster Recovery Plan
Disasters happen, most of the time without warning. Having a disaster recovery plan in place is important to ensuring continuity of patient care and continued access to important medical records. As the saying goes, if you fail to plan, you plan to fail.
4. Implement Proper Administrative, Technical and Physical Safeguards
Securing all forms of PHI with the necessary safeguards already implemented within your practice is essential to successfully meeting HIPAA requirements – and ultimately protecting your patients.
5. Staff HIPAA Training
Properly train your workforce on all HIPAA privacy and security policies and procedures. This training should be ongoing to ensure that staff is staying up to date with any changes to HIPAA regulations or practice operations.
6. Business Associate Agreements
It’s important to be on the same page with everyone that has access to your patient’s secure information. Implementing the proper business associate agreements (BAAs) with all third party vendors that could potentially access PHI ensures patient data is secure while also offsetting liability to business associates should they be the cause of a data breach.
There’s a lot that goes into your HIPAA program, even more than the top 6 items listed here, which is why it’s all the more important to have a true culture of compliance in place and a complete HIPAA program to prevent and minimize threats to your patient’s data.