With OCR audits going on in full swing, your legal responsibilities as a healthcare provider have doubled. It’s not just about being compliant anymore- you should be in a position to prove your compliance with HIPAA regulations to the OCR team. The HIPAA audits seek to ascertain that all covered healthcare entities and their business associates are compliant with the requirements of the Health Information Portability and Accountability Act.
So while you may be compliant with HIPAA norms already, it’s now time to demonstrate compliance to the audit team. But this may not be possible unless you have prepared yourself to meet the demands of the OCR audit team. With penalties for non-compliance surpassing the million dollar mark, it’s only wise to be alert and prepare yourself for the upcoming audit.
Document all necessary evidence. Once your entity is selected for the audit, you will have just 10 business days to respond to initial documentation request. So make sure that all policies, procedures, and practices related to HIPAA compliance are documented and ready to be presented. Begin by creating a comprehensive list of documents that may be needed to support your compliance efforts.
Identify your Business Associates. Make sure you negotiate business associate agreements with all your vendors who handle protected health information (PHI). This is crucial to avoid data breaches and to prove compliance to the audit team.
Conduct periodic risk analysis. All covered entities are required to conduct a comprehensive, periodic risk analysis to identify and mitigate risks. If you have not conducted this in the last 12 months, you should do so immediately, because the audit team may ask you to present the results of this analysis during the audit. So don’t forget to document the entire process.
Assess your compliance status. Periodically evaluating the effectiveness of your compliance program is mandatory. If you have not formally evaluated your compliance program, you should do so at the earliest, and identify gaps or pitfalls if any, so that they can be fixed before your facility is audited.
Train your staff. Educating employees about the necessity to safeguard PHI and training them to follow security protocols and procedures are essential for HIPAA compliance. If your employees have not been trained consistently, it’s now time for a refresher. Make sure you document the training process to show evidence that all relevant employees have been duly trained.
Prepare SMEs. You should identify subject matter experts (SMEs) who will be the best points of contact for the audit team. These SMEs should be able to provide the necessary details on various aspects of HIPAA implementation. So make a list of SMEs and prepare them to face the audit well in advance.
Ensure timely response. During an audit the deadlines for responding are usually very short. So make sure the right people receive communications from the OCR team. This can help you respond at the right time and make a positive impression during the audit.
While complying with HIPAA regulations is challenging enough, demonstrating evidence of compliance to the OCR team can be even more difficult. That’s why eGestalt’s SecureGRC has been designed to meet all the audit requirements apart from helping you achieve and maintain security and compliance in your entity. It comes with capabilities for compliance assessment, self-audits, and documentation, which can prove useful while preparing for the OCR audit. So with eGestalt’s SecureGRC, clearing the HIPAA audit can be a cake-walk.