Implementing Audit Controls

Implementing Audit Controls

Once you have implemented the necessary PHI safeguards, the next task is to create audit controls by which the protections are monitored.  Audit controls are a necessary, and very important, aspect of HIPAA compliance and PHI protection.  It is not enough to simply implement a safeguard.  Instead, there must be a diligent process to ensure the safeguards provide the anticipated protections and are consistently applied.

To implement proper audit controls you should specify a schedule of reviews.  These reviews will be your check to ensure everything is working properly.  For example, when you implement a policy and procedure to terminate outgoing employees within 24 hours of their departure, your audit control would be to review access logs for any terminated employees whose accounts are not closed.  You may choose to do this review every quarter, every month, or even more frequently depending on the usual amount of turnover within your organization.  Without this necessary step, you will not know if the policy and procedure are effective.

For some more voluminous logs, it may not be reasonable to do a complete review.  For instance, it may take a significant amount of time to review all successful and unsuccessful login attempts.  Alternatively, you can review a sample of the logs at a higher frequency.  You may also consider enabling alerts to be sent to proper staff members after a certain number of failed login attempts.  In this case, you would want to periodically check to ensure the alerts are enabled and are generated in the right instances.

Protecting PHI is a constant challenge, and one that must be monitored and adjusted.  Implementing audit controls is an important check to ensure your safeguards working as designed. Without this necessary step, you may be putting PHI at risk without ever realizing.

Learn more:

How To Prepare For The HIPAA Audits

HIPAA Audits Officially Underway

HIPAA Audits Officially Underway

HIPAA Audits Officially Underway

Last week health care providers and health plans began receiving requests from the HHS Office of Civil Rights (“OCR”) to produce documentation verifying compliance with HIPAA.More organizations will be audited throughout the course of the remainder of the year, and business associates will be audited later this year or early in 2017.  Here is what we know so far.

  • If you have not received notification of a HIPAA audit yet, it does not mean you won’t.  More organizations will be notified in the weeks and months to come.

  • As expected, you will have ten business days to respond to the requests.  No extensions are provided.

  • Requests are a blend of policies, procedures, forms, and evidence.  For instance, OCR has requested form breach notification letters and copies of recent notification letters sent to individuals.

  • Requests can be focused exclusively on privacy, security, or breach notification or can be a combination of the three.

  • All organizations must produce a list of their business associates within the ten day reporting period.

  • Submissions are made within a portal created by OCR specifically for these audits.  However, the portal provides little, if any, opportunity for explanation or context.  Therefore, the documents submitted must be self explanatory and speak directly to what is requested.

If you have not received notification yet, there is still time to prepare necessary documentation.  It is unlikely you will be able to prepare adequate documentation once audit notification is received.

Learn more:

How To Prepare For The HIPAA Audits

Preparing for HIPAA Audits Webinar

How To Prepare For The HIPAA Audits

How To Prepare For The HIPAA Audits

Last week the HHS Office of Civil Rights (“OCR”) announced that it has started the second phase of its HIPAA Audit Program (The first phase was in 2011 and 2012).  Audit letters are going out now to Covered Entities; letters to Business Associates will follow soon.

Organizations will only have ten days to produce requested documentation, thus you must be prepared before a request is received.  Here are the best things you can do now to prepare for a potential audit.

  1. Identify Business Associates:  OCR has announced they will request a list of Business Associates from all organizations audited.  If you do not have a list of your Business Associates, you should compile that soon.
  2. Include Dates on all Compliance Documentation:  OCR is looking for a current, ongoing, and comprehensive HIPAA compliance program; not a one-time project.  Therefore, ensure all compliance documentation is dated as of the last time reviewed.
  3. Documentation Should Accurately Reflect the Compliance Program:  The vast majority of audits will be desk audits, thus your only opportunity to demonstrate safeguards is through your documentation.  What is submitted must accurately and comprehensively demonstrate completeness of an ongoing compliance program.
  4. Only Submit What Is Requested:  Give the auditor only what they ask for, and little — if anything — more.  Extraneous information could confuse the auditor, and lead to a more in-depth compliance review.
  5. Have a Current Risk Assessment:  This is a fundamental requirement of the Security Rule and is absolutely necessary for a successful audit.
  6. Notice of Privacy Practices:  A Notice of Privacy Practices must meet all requirements, and be posted online as well as in waiting areas.  Additionally, organizations should have policies and procedures that document receipt of executed Notices.
  7. Policies and Procedures for Individual’s Access to PHI:  Organizations must have policies and procedures which document how patients can review and receive copies (for appropriate cost) of their PHI.
  8. Incident Response Policies and Procedures:  Ensure policies and procedures detailing how to investigate and respond to a suspected misuse of PHI are in place.  Have members of an incident response team identified, and ensure they understand their roles and responsibilities.

In closing, there is much that needs to be done to be prepared for a HIPAA audit.  The time to prepare is now.  A hurried response to an audit request will likely lead to poor performance.

Learn more:

HIPAA Audits Officially Underway

Preparing for HIPAA Audits Webinar

Implementing Audit Controls