Originally published February 2017 in Trojan Today.
If you’re a smaller practice and you’ve never had a HIPAA complaint, you’ve probably never experienced a HIPAA audit. However, that’s about to change. New policies from HHS mean that every office, no matter how small, will undergo a HIPAA compliance audit.
The word ‘audit’ tends to fill people with fear. While fines can be upwards of $1 Million for practices that fail the audit, auditors are looking for signs of willful neglect. If you’ve followed my advice, you don’t need to worry. You’ve laid the groundwork for showing meaningful compliance with HIPAA. Now you need to ensure you know how to present the evidence of that compliance to the HIPAA auditor. Here’s a step-by-step list to help you prepare for your audit and to pass with flying colors.
Step 1: Notify Your Staff of the Coming Audit.
Let your staff know the auditor is coming, so they’ll be able to prepare for the upheaval. Provide an expected schedule for when the audit will start, when it will end, and when you’ll be able to share the results. All staff members help your office comply with HIPAA every day, so they all should feel as if they have a stake in the audit.
Make sure your Compliance and Security Officers will be in the office for the duration of the audit and available to answer the auditor’s questions.
Step 2: Notify Contractors and Make Sure Their Documentation is Up-To-Date.
Notify any contractors you’ve worked with since the last audit of your coming audit. Remind them you or the auditor may request additional documentation. Make sure they will be available for questions during the audit.
Step 3: Clear a Workspace for the Auditor.
This is a small thing, but it can make a big difference in how the audit proceeds. Provide a quiet, out-of-the-way workspace where the auditor won’t be disturbed but will have easy access to staff. A proper work area will make the audit go faster and minimize disruption to the practice during the audit.
Step 4: Assign the Auditor an Assistant.
While this assistant may be your Privacy or Security Officer, these people often have other responsibilities that can’t be put on hold during an audit. Assign a junior member of the office staff to help the auditor pull documents, make calls, fetch coffee, and perform other clerical tasks. Again, this will speed the audit and minimize disruptions. Ideally, most of your staff and patients won’t even notice the audit is going on.
Step 5: Pull Relevant Documentation before the Auditor Arrives.
If you’ve been following the guidelines for meaningful compliance, you should have hard copies of all documentation and know where they are. Pull them and put them on a shelf or cart close to the auditor’s workspace. Make sure to include:
- Policy Binders,
- Records of annual review and updates to policies,
- Risk analysis reports for each piece of technology,
- Data breach protocols, and
- HIPAA training documentation for all staff members and contractors, on and off-site.
Step 6: Provide an Index to the Materials.
Take time to type up a brief index to the materials for the auditor. Include information on the number of binders or files of each type and any color coding or other identifying info. This will make it easier for the auditor, or the helper, to quickly pull relevant files, read them, and return them to their places. A good index can make the audit go more quickly and can help you replace items after the audit is over.
Step 7: Relax
YOU’VE GOT THIS. The auditor is looking for evidence of neglect or deliberate law-breaking.
If you’ve tried to comply with the law, prepared for the audit, and helped the auditor track down and review documents, you’ll be in great shape. If you come away from the audit with a list of remediation steps, take them as soon as possible. Then, continue to review and update everything at least once a year, or more frequently if you have staff turnover or purchase new technologies. Once you’ve prepared for, and passed, your first audit, you’ll have the tools you need to deal with all future audits too.
If you’re still worried about HIPAA audits even after following the advice in these two articles, your Compliance and Security Officers may need additional training and education. Consider contacting a trainer with expertise in HIPAA compliance to help get your office on the right track.
Christine Taxin is the founder and president of Links2Success, a practice management consulting company in the dental and medical fields. With over 25 years of experience as a practice management professional, she now provides private practice consulting services and delivers continuing education seminars for dental and medical professionals.
FMI: www.links2success.biz or 914-303-6464
Read more from Christine Taxin: