Once you have implemented the necessary PHI safeguards, the next task is to create audit controls by which the protections are monitored. Audit controls are a necessary, and very important, aspect of HIPAA compliance and PHI protection. It is not enough to simply implement a safeguard. Instead, there must be a diligent process to ensure the safeguards provide the anticipated protections and are consistently applied.
To implement proper audit controls you should specify a schedule of reviews. These reviews will be your check to ensure everything is working properly. For example, when you implement a policy and procedure to terminate outgoing employees within 24 hours of their departure, your audit control would be to review access logs for any terminated employees whose accounts are not closed. You may choose to do this review every quarter, every month, or even more frequently depending on the usual amount of turnover within your organization. Without this necessary step, you will not know if the policy and procedure are effective.
For some more voluminous logs, it may not be reasonable to do a complete review. For instance, it may take a significant amount of time to review all successful and unsuccessful login attempts. Alternatively, you can review a sample of the logs at a higher frequency. You may also consider enabling alerts to be sent to proper staff members after a certain number of failed login attempts. In this case, you would want to periodically check to ensure the alerts are enabled and are generated in the right instances.
Protecting PHI is a constant challenge, and one that must be monitored and adjusted. Implementing audit controls is an important check to ensure your safeguards working as designed. Without this necessary step, you may be putting PHI at risk without ever realizing.
How To Prepare For The HIPAA Audits
HIPAA Audits Officially Underway
Last week the HHS Office of Civil Rights (“OCR”) announced that it has started the second phase of its HIPAA Audit Program (The first phase was in 2011 and 2012). Audit letters are going out now to Covered Entities; letters to Business Associates will follow soon.
Organizations will only have ten days to produce requested documentation, thus you must be prepared before a request is received. Here are the best things you can do now to prepare for a potential audit.
- Identify Business Associates: OCR has announced they will request a list of Business Associates from all organizations audited. If you do not have a list of your Business Associates, you should compile that soon.
- Include Dates on all Compliance Documentation: OCR is looking for a current, ongoing, and comprehensive HIPAA compliance program; not a one-time project. Therefore, ensure all compliance documentation is dated as of the last time reviewed.
- Documentation Should Accurately Reflect the Compliance Program: The vast majority of audits will be desk audits, thus your only opportunity to demonstrate safeguards is through your documentation. What is submitted must accurately and comprehensively demonstrate completeness of an ongoing compliance program.
- Only Submit What Is Requested: Give the auditor only what they ask for, and little — if anything — more. Extraneous information could confuse the auditor, and lead to a more in-depth compliance review.
- Have a Current Risk Assessment: This is a fundamental requirement of the Security Rule and is absolutely necessary for a successful audit.
- Notice of Privacy Practices: A Notice of Privacy Practices must meet all requirements, and be posted online as well as in waiting areas. Additionally, organizations should have policies and procedures that document receipt of executed Notices.
- Policies and Procedures for Individual’s Access to PHI: Organizations must have policies and procedures which document how patients can review and receive copies (for appropriate cost) of their PHI.
- Incident Response Policies and Procedures: Ensure policies and procedures detailing how to investigate and respond to a suspected misuse of PHI are in place. Have members of an incident response team identified, and ensure they understand their roles and responsibilities.
In closing, there is much that needs to be done to be prepared for a HIPAA audit. The time to prepare is now. A hurried response to an audit request will likely lead to poor performance.
HIPAA Audits Officially Underway
Preparing for HIPAA Audits Webinar
Implementing Audit Controls