Ken Miller
Published: Monday, November 2, 2015 - 13:00 Has your organization secured all its electronic healthcare records (EHR)? If not, don’t wait to put the proper policies and procedures in place. If you’ve already secured your EHR, then make sure that you’re ready for an audit by the Office for Civil Rights (OCR). I recently wrote that the OCR is being more aggressive in ensuring that the HIPAA regulations governing EHR security are being enforced. The OCR’s plan includes conducting audits of both healthcare organizations and their business associates, starting in 2016. Here are ten tips that can help you prepare for possible audits. 1. Policies and procedures 2. Know your business associates 3. Keep a ‘compliance file’ handy 4. Take advantage of OCR’s online resources 5. Conduct a comprehensive security risk analysis 6. Review your workforce training 7. Something is better than nothing 8. Use experts when needed 9. Subscribe to the OCR listserv or other HIPAA websites to monitor new developments 10. Respond to OCR audits completely but concisely Of course, if you have questions about the security of your electronic health records or possible audits, contact an outside partner. If you need us, the IT team at HORNE is ready to answer any questions you might have. Ken Miller serves as a senior manager in health care services at HORNE LLP. He concentrates on providing compliance consulting services in the areas of health care billing regulations, privacy regulations and health care internal audit services.
FDA Compliance Ten Tips to Prepare for Electronic Health Records Audits
The Office for Civil Rights has audits planned for next year
Have a comprehensive set of policies and procedures in place, and ensure they are available to staff through a company intranet or other easily accessible method. Make sure it’s clear that the policies have been fully implemented by filling in all the blank fields and removing draft watermarks. Include evidence that you’ve reviewed the policies periodically, and be sure to retain previous versions for six years.
OCR plans to ask you for a list of your business associates. They’ll use the list to determine which companies will be audited. Be sure that your contract management systems can produce a current list.
Maintain a readily available file that includes current evidence of HIPAA compliance. OCR will only permit 10 days to respond to audits, so have as much information as possible at your fingertips. If policies for other business areas cover certain HIPAA elements, include those policies in your file. Keep key evidence, like evidence of HIPAA training, in the file. If other departments are responsible for reviewing logs of network or medical record activity, periodically place copies of their results in the file.
Benchmark your notice of privacy practices and business associate agreements against samples published by OCR. Verify that, at a minimum, your documents cover all the same points. However, be aware that these samples do not include all of the provisions that may protect your organization. You can find samples on the Health and Human Services website; see model notices of privacy practices and business associate contracts.
The lack of a risk analysis or an out-of-date risk analysis is frequently cited as a contributing factor in security-related resolution agreements. Address identified security risks in a risk management plan, with corrective actions documented or, if you did not take corrective actions, the mitigating factors noted. Verify that controls are in place for the root causes of breaches. If the risk analysis is performed internally, retain a summary and a detailed report that can easily be provided to auditors.
Verify that any online systems can produce evidence that specific employees have completed training. If you use an “off the shelf” training product, verify that you have supplemented the general information with specifics for your organization, such as HIPAA contacts, how to report security incidents or breaches, how to use tools such as email encryption, and where to find HIPAA policies. In light of the 2015 healthcare hacking activity, review content on social engineering resistance and add such content to training sessions if it isn’t already included.
Certain requirements involve some proactive monitoring of logs, but many organizations are overwhelmed by the volume of logs and have no evidence of periodic review. Identify certain suspicious or unusual activities, and create reports to monitor these activities that are manageable in scope for reviewers. Verify that you have some form of monitoring in place for all requirements, even if the monitoring is limited in scope.
As part of the periodic “technical and nontechnical evaluation” of your HIPAA compliance program, perform technical tests like internal and external vulnerability scans. Some IT departments may have in-house tools and knowledge to conduct this type of review, but it can be beneficial to have an independent review from outside experts to gain insights on new targets and best practices.
Be on the lookout for new Phase 2 audit information, such as planned audit protocols, and review and incorporate new guidance into your compliance program. Review recent OCR resolution agreements and corrective-action plans, and verify that your organization has addressed the noted deficiencies to avoid repeating the mistakes for which others have paid.
When responding to an OCR audit, be sure to address all requested items, but do not send extraneous or unsolicited materials. Consult with counsel about appropriate responses.
About The Author
Ken Miller
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.
