How to prepare for a HIPAA audit.
Are you facing a HIPAA audit and unsure of what to do? While you may be familiar with HIPAA regulations and how non-compliance can put you in hot water, for audit purposes remember that an ounce of prevention is worth a pound of cure. Here’s what you need to know.
Document and Data Management
The first item on your checklist, and perhaps the most involved, is to take a look at how you manage your documents and electronic data. For electronic data, proper user ID and password administration capabilities will help you ensure that all users are uniquely identified and that their passwords are sufficiently secure and periodically changed. Automatic log-off capabilities help secure your sensitive data in case someone leaves a workstation unattended. Data encryption and decryption capabilities ensure that sensitive information cannot be viewed or interpreted without the correct encryption keys. Run a risk analysis for documents to see where personal health information (PHI) is being used and stored in order to determine all the ways that HIPAA could be violated. Medical records and PHI stored in hallways that are accessible by unauthorized individuals should be in locked cabinets. There should be no open shelves in a patient or research subject area, as well as no open shelves in a hallway that allows access to individuals not authorized to access those medical records and PHI.
Secure Your Workforce
Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
How Is Information Accessed?
Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
Safeguard In-use Records
If the medical record and PHI is in use, but not actively being viewed, it should be closed, covered or placed in a position to minimize incidental disclosure. This is especially important in patient or research subject areas.
Destruction of Old Medical Records
Hospitals, insurers, and other healthcare groups are becoming more focused on methods for managing protected medical records in compliance with HIPAA’s privacy and security guidelines, including aspects of storage and destruction. How facilities approach the destruction of old records depends on each state and facility. HIPAA privacy and security rules do not require a particular disposal method. They simply suggest that covered entities review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps. More and more compliance officers are finding that a centralized shredding program with high quality, industrial grade shredders is the better policy.
Have you been faced with a HIPAA audit? What have you done to ensure compliance?
- HIPAA 101: What You Need to Know
- HIPAA 102: The Most Common Violations. Are You At Risk?
- Guidelines for Medical Record Shredding
- Hospital Discharge Paper Shredding & Identity Protection
- Dermatology Practice Get Hits With Fine for Thumb Drive Breach