Prepping for 2015's HIPAA AuditsAttorneys Offer Tips for Surviving OCR Scrutiny
As federal regulators plan to resume random HIPAA compliance audits in 2015, organizations should prepare by doing their own mock audits, say privacy and healthcare attorneys Alisa Chestler and Donna Fraiche of law firm Baker Donelson.
"You should be doing mock audits to determine where you have exposures and to do your best to remediate those exposures prior to any sort of audit from the government," says Chestler in an interview with Information Security Media Group.
Fraiche adds that during the mock audits, healthcare providers should ensure that they have all HIPAA related documentation in one place, so that they can provide proof to government auditors about their security and privacy compliance efforts.
That includes documentation related to HIPAA education that the organization has provided to its staff in all departments. Additionally, covered entities should be ready to show that they've reviewed all their business associate agreements to ensure they're up-to-date and include all the HIPAA Omnibus Rule provisions that went into effect in 2013.
The key is to demonstrate that the organization is "cybersecurity sensitive," Fraiche says.
However, the mock audits being performed now for the next round of Department of Health and Human Services' Office for Civil Rights' audits in 2015 shouldn't be the same dress-rehearsals organizations may have performed in the past, Chestler says. For instance, entities should closely examine bring-your-own-device policies and procedures. The focus should be on newer security issues that have developed at an organization since the last time compliance was self-examined, she notes.
In the interview, Chestler and Fraiche also discuss:
- Why recent HHS HIPAA guidance related to Ebola is also an important reminder to covered entities about dealing with patient privacy issues during all kinds of public health emergencies;
- Why business associates will be a bigger target of OCR's HIPAA enforcement actions in 2015;
- HIPAA Omnibus compliance issues that are still posing challenges to covered entities and business associates more than one year after the rule went into effect.
Chestler, a shareholder in the Washington, D.C. office of Baker Donelson, concentrates her practice in healthcare and insurance regulatory compliance; privacy, security and records management issues; and corporate transactions matters. Chestler joined Baker Donelson after serving as in-house counsel and privacy officer to several large public and private companies. Her experience with HIPAA/HITECH compliance includes preparing and negotiating business associate agreements, developing policies and procedures, and advising clients on data breaches and notification obligations.
Fraiche is a shareholder in the New Orleans and Baton Rouge offices of Baker, Donelson, and a member of the firm's health law and public policy departments. She concentrates her practice in the general representation of health care organizations, companies and individuals in major regulatory, public policy and litigation efforts. Fraiche served as the first female president of the organization now known as the American Health Lawyers Association and is currently a fellow of the association. She is also is past-president of the Louisiana Bar Foundation.