Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Jón Bergsteinsson
Understanding the standard is essential
Stephanie Ojeda
The FDA’s new QMSR will harmonize with ISO 13485 for medical device quality management
Steve Thompson
An excellent technological tool that improves quality and compliance
Kelley Jacobsen
Amid rising prices, medical device supply chains need greater scrutiny and standardization
Jennifer Chu
Findings point to faster way to find bacteria in food, water, and clinical samples

More Features

FDA Compliance News
Streamlines annual regulatory review for life sciences
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations
Delivers time, cost, and efficiency savings while streamlining compliance activity

More News

Ken Miller

FDA Compliance

Ten Tips to Prepare for Electronic Health Records Audits

The Office for Civil Rights has audits planned for next year

Published: Monday, November 2, 2015 - 13:00

Has your organization secured all its electronic healthcare records (EHR)? If not, don’t wait to put the proper policies and procedures in place. If you’ve already secured your EHR, then make sure that you’re ready for an audit by the Office for Civil Rights (OCR).

I recently wrote that the OCR is being more aggressive in ensuring that the HIPAA regulations governing EHR security are being enforced. The OCR’s plan includes conducting audits of both healthcare organizations and their business associates, starting in 2016.

Here are ten tips that can help you prepare for possible audits.

1. Policies and procedures
Have a comprehensive set of policies and procedures in place, and ensure they are available to staff through a company intranet or other easily accessible method. Make sure it’s clear that the policies have been fully implemented by filling in all the blank fields and removing draft watermarks. Include evidence that you’ve reviewed the policies periodically, and be sure to retain previous versions for six years.

2. Know your business associates
OCR plans to ask you for a list of your business associates. They’ll use the list to determine which companies will be audited. Be sure that your contract management systems can produce a current list.

3. Keep a ‘compliance file’ handy
Maintain a readily available file that includes current evidence of HIPAA compliance. OCR will only permit 10 days to respond to audits, so have as much information as possible at your fingertips. If policies for other business areas cover certain HIPAA elements, include those policies in your file. Keep key evidence, like evidence of HIPAA training, in the file. If other departments are responsible for reviewing logs of network or medical record activity, periodically place copies of their results in the file.

4. Take advantage of OCR’s online resources
Benchmark your notice of privacy practices and business associate agreements against samples published by OCR. Verify that, at a minimum, your documents cover all the same points. However, be aware that these samples do not include all of the provisions that may protect your organization. You can find samples on the Health and Human Services website; see model notices of privacy practices and business associate contracts.

5. Conduct a comprehensive security risk analysis
The lack of a risk analysis or an out-of-date risk analysis is frequently cited as a contributing factor in security-related resolution agreements. Address identified security risks in a risk management plan, with corrective actions documented or, if you did not take corrective actions, the mitigating factors noted. Verify that controls are in place for the root causes of breaches. If the risk analysis is performed internally, retain a summary and a detailed report that can easily be provided to auditors.

6. Review your workforce training
Verify that any online systems can produce evidence that specific employees have completed training. If you use an “off the shelf” training product, verify that you have supplemented the general information with specifics for your organization, such as HIPAA contacts, how to report security incidents or breaches, how to use tools such as email encryption, and where to find HIPAA policies. In light of the 2015 healthcare hacking activity, review content on social engineering resistance and add such content to training sessions if it isn’t already included.

7. Something is better than nothing
Certain requirements involve some proactive monitoring of logs, but many organizations are overwhelmed by the volume of logs and have no evidence of periodic review. Identify certain suspicious or unusual activities, and create reports to monitor these activities that are manageable in scope for reviewers. Verify that you have some form of monitoring in place for all requirements, even if the monitoring is limited in scope.

8. Use experts when needed
As part of the periodic “technical and nontechnical evaluation” of your HIPAA compliance program, perform technical tests like internal and external vulnerability scans. Some IT departments may have in-house tools and knowledge to conduct this type of review, but it can be beneficial to have an independent review from outside experts to gain insights on new targets and best practices.

9. Subscribe to the OCR listserv or other HIPAA websites to monitor new developments
Be on the lookout for new Phase 2 audit information, such as planned audit protocols, and review and incorporate new guidance into your compliance program. Review recent OCR resolution agreements and corrective-action plans, and verify that your organization has addressed the noted deficiencies to avoid repeating the mistakes for which others have paid.

10. Respond to OCR audits completely but concisely
When responding to an OCR audit, be sure to address all requested items, but do not send extraneous or unsolicited materials. Consult with counsel about appropriate responses.

Of course, if you have questions about the security of your electronic health records or possible audits, contact an outside partner. If you need us, the IT team at HORNE is ready to answer any questions you might have.


About The Author

Ken Miller

Ken Miller serves as a senior manager in health care services at HORNE LLP. He concentrates on providing compliance consulting services in the areas of health care billing regulations, privacy regulations and health care internal audit services.