The Audits are Coming!

Almost all the healthcare entities including hospitals and physician practices are subjected to a wide range of audits. All these medicals audits ensure the quality of medical practices. The HIPAA audits can be considered as the latest addition to the audit list. Physician practices have a limited time to meet the demands of the HIPAA audit.

After the practice receives a letter that it is to be audited, the practice has up to 10 days to send over all requested information. Within the next one month to three months, the practice is subject to a physical audit lasting three business days to 10 business days. The auditors use this time to scrutinize the practice’s policies and procedures, to analyze its technological protections and security measures, to observe the overall environment with safeguarding health information, and to interview the staff. After that the auditor will send a draft final report by summarizing all the observations. The physicians have a period of 10 days to refute the comments before that auditor submits the report to the government. This year, the government intends to physically audit 115 covered entities.

The government posted the 165 total performance criteria to help the physicians with preparations for an eventual HIPAA audit. According to the criteria, the practice will be reviewed in satisfaction of the Security, Privacy and Breach Notification Rules. Some criteria need a screenshot of the practice’s computer system in order to get an idea about health information. Other criteria require the auditor to review documented risk assessments that the practice determined were not security breaches.

The practice is requested to develop and deploy an information activity review process, conduct risk assessments, select a security official and develop and implement procedures to respond to and report security incidents. Based on the complexity of a physician’s practice, the HIPAA auditor will review formal or informal policies and procedures, how encryption keys are protected, the types of encryption used, restricted access to modify or create keys to appropriate personnel and how keys are managed.

The HIPAA Privacy Rule focuses on several areas of compliance including the notice of privacy practices for the patient’s protected health information ,the patient’s right to request privacy protection for PHI, the individual’s right to access their PHI, administrative requirements, uses and disclosures of PHI, amendment of PHI and accounting of disclosures. For these areas, HIPAA audit protocol requires the practice to obtain a valid authorization for the use or disclosure of PHI, account for disclosures of PHI and comply with minimum necessary requirements.

Meeting the demands of a HIPAA audit cannot be done overnight. Therefore the physicians should be proactive and they should develop a work plan to review HIPAA policies and procedures. Then they can implement such policies and procedures with staff and management and update as necessary to reflect changes in the technology and the law, as well as to create detailed supportive documentation of all compliance decisions and activities.