The Office of Civil Rights (OCR) in the Department of Health and Human Services audits HIPAA compliance and is saying to expect to begin a permanent random HIPAA audit program. The OCR conducted an analysis of data breach reports filed during 2011-2012 to determine the most common errors that cause hospitals and practices to lose important data and become subject to HIPAA violations.
The OCR identifies the following 6 areas that require attention to avoid a violation of HIPAA in an audit.
6 Areas to Check in Case of a HIPAA Audit
Risk Analysis and Management
- Does your practice have risk analysis and risk management plans?
- Do you address potential risks for electronic and printed Personal Identifiable information (PHI)?
- What data is sending out of your practice, on what networks, and to where?
- Do you have a business associate’s agreement with each entity that receives PHI?
Security Evaluation
- Identify Potential Areas of Risk
- Establish Processes to Reduce Unintentional Errors
- Empower the Response Team
- Test Your Plan
- Develop a Communication Plan in case of a Data Breach
Control of Portal Device
- Have policies and procedures about portable devices, especially ones that leave the office.
- Data in Transit should be protected by documented safeguards
- Portable computers must require two layers of authentication to help prevent unauthorized access to data stored on a lost unit.
- What happens to the data when the end user returns a portable computer with PHI that is no longer needed on the device?
Proper Disposal of Data
- Document data disposal procedures for wiping hard drives clean.
- When hardware is replaced, the old hard drive must be purged or wiped thoroughly before it is recycled, discarded, or transferred to a third party.
Access Control
- Program computers to shut down automatically after a specified time of not being in use.
- Make sure patient information is not visible from any computer screens to outsiders.
- Lock computers so only people with granted access are able to use them.
Training
- Train new employees as soon as possible on your privacy and security policies and procedures—as well as on the appropriate uses and disclosures of PHI and the safeguards to protect the information from improper uses and disclosures.
- Every physician and employee must be aware of the potential sanctions, costs, and other consequences for failure to follow the practice’s policies and procedures.
- The human resources manual clearly specifies the actions to take if a physician or staff member violates HIPAA privacy rules.
Keep Your Office Protected & Compliant
It’s everyone’s responsibility to be vigilant in protecting health information and protecting the practice.
We specialize in helping you find the document management contractor that’s right for your businesses, while maintaining all HIPAA regulations. To learn more about the document management services that we can provide please fill out the form to the right, or give us a call at (866) 385-3706.
