An increasingly digital medical field requires new security and usage standards. In 2016, the HHS Office for Civil Rights launched phase II of HIPAA and HITECH audits, issued to healthcare providers randomly and implemented through desk audits. These audits focused on areas such as notice of privacy, patient access analysis, risk management, and breach notifications, among others.
Phase III has not yet been announced, but the focus will likely be on requirements similar to those in phases I and II. There is also a likelihood that the audits will be on-site. Remaining vigilant is the best way that healthcare providers can avoid fines from compliance failures. Knowing what to expect can help.
What are HIPAA and HITECH Audits?
HIPAA audits might focus on security and privacy, while HITECH audits might focus on a provider’s “meaningful use” of electronic health records, with extensions on HIPAA’s privacy and security. Phase II audits started with providers with complaints attached to the organization, but then moved on to random audits that asked subjects to confirm if they complied with aspects of HIPAA and HITECh compliance.
In phase II, after the pre-audit phase, organizations were asked to provide their security risk analysis, their risk analysis policy, risk management plan, and their plan to fill any gaps that the risk analysis uncovered. The OCR also tested organizations’ notice of privacy and patient access practices.
Even if an organization does not meet all of the HIPAA and HITECH requirements at audit, having a plan to cover any gaps will save an organization from innumerable fines. Creating a plan is the first and best step to prepare for audits.
How to Prepare for a HIPAA/HITECH Audit
Risk Analysis: A healthcare organization’s risk analysis determines any weaknesses in their compliance practices. Audits will ask the organization to provide one, so having it is crucial. The provider’s security and privacy policies, breach notifications, and IT responses should all be documented.
Staff Training: Human weakness is still one of the key ways that systems are breached. Regular staff training in compliance with HIPAA and HITECH policy will give your system a better chance of testing well in risk assessments.
Conduct an Internal Audit: Conducting an initial audit might give your organization a chance to know what to expect and will point out any weaknesses in your HIPAA and HITECH compliance. A third party audit will take the pressure off of your organization and will be able to point out weaknesses that internal staff might miss.
Create a Risk Management Plan: Even if an organization has gaps in their compliance, auditors will be looking for the strength of the provider’s remediation. The risk management plan is the organization’s way to address those weaknesses found in their risk analysis.
It’s best to create a provider’s risk management plan before it becomes an emergency. A third party managed IT service can look at your current security and privacy policies and help create a plan. Excedeo’s experts are well-versed in HIPAA and HITECH compliance and can arm your organization with the tools it needs to perform well in audits.
Sign up for a free cybersecurity assessment and learn how Excedeo can help your organization build a better company.
About Excedeo
There’s no need to look further than Excedeo for your IT needs. No matter your needs, Excedeo is prepared to exceed them. If you are considering increasing your cybersecurity, consult with Excedeo to know what is best for your company.