Chapter 9: Preparing for HIPAA Audits
Data breaches and lawsuits aren't the only ways that nurses can face fines. In order to ramp up enforcement of the HITECH Act, the Office for Civil Rights (OCR) of the HHS can randomly audit covered entities (including private healthcare practices). Those found noncompliant with current standards can face financial consequences.
To enforce HITECH, the HHS can randomly audit covered entities to check for compliance.
The bad news is these audits aim to be comprehensive and detailed and will likely look at the compliance of your business associates. The good news is you're not alone if you're unprepared.
According to HITECH News , 89 percent of organizations that were included in the first round of audits in 2013 had compliance issues. Indeed, the whole health industry has some catching up to do, hence the second auditing round.
89% of audited organizations had HIPAA compliance issues in 2013.
As an independent nurse or nurse practitioner, make sure that you're up to date on the latest regulations concerning the privacy and security of health information. As a general rule, keep documentation that shows your procedures for accessing, storing, and transmitting PHI. If you have any employees, your preparation will need to be a bit more comprehensive.
To get you started, here are some steps you can take to prepare for an audit:
- Review and retrain. Go over your policies and procedures to verify that they conform to HIPAA protocol, and update documents accordingly. Retrain your staff on updated procedures, and update your training documentation, too. Ensure that you have a policy for breach notification and that health information is protected by access controls and encryption.
- Contact your business associates. Have a list of your BAs and what services they provide for you. Ask each BA for an updated Business Associate Agreement.
- Conduct a risk assessment. Identify areas of risk within your practice and how you can either fix or respond to them. Go over security and privacy safeguards and ensure that they're adequate. You can even replicate the auditing process internally to find areas that need improvement.
These resources may aid in your preparation:
A random audit will either be onsite or require you to submit requested information electronically. Be prepared for either scenario. Even if you don't get audited, the advice above will help you maintain HIPAA compliance and prevent unnecessary vulnerabilities. It will also help your case should a data breach actually happen and you have to defend yourself against a lawsuit or penalty.
Next: Conclusion: Final Thoughts on Nurse Liability Insurance