HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed.
And yet, time and time again most covered entities chosen for an audit are not prepared. While taking the necessary steps to becoming compliant can seem overwhelming at times it is crucial. Just one breach can affect millions of people.
Phase 2 of the HIPAA audit program began in May of 2016 and will continue in 2017. Phase 2 included an email that requested covered entities to confirm their contract information. If information was confirmed, a questionnaire is provided and covered entities have 30 days to complete it. HIPAA covered entities can expect to receive the full implementation of the Audit program in 2017. Your best defense is to have a core HIPAA program in place and keep it active. The below questions will help make sure that you are covered when audit time comes around.
- Do we have written policies and procedures that address HIPAA standards and vulnerabilities?
- Are we performing regular risk assessments? Are those assessments being documented?
- Do we have an incident response plan in case there is a breach of PHI?
- How are we addressing data security? Does it cover BYOD practices, mobile devices and storage media?
- Are our business associates on top of their requirements?
- Are patients receiving Notices of Privacy Practices? Is it available to our patients on our portal/practice website?
- Do we have a training program in place that properly informs new staff members and periodically refreshes existing workers on HIPAA compliance?
To learn more about audit protocol please visit : http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html