HIPAA Audits: Documentation Is Critical
Expert Insights on Preparing for ScrutinyHealthcare organizations can't afford to procrastinate in thoroughly documenting their HIPAA compliance efforts because the restart of federal audits is looming, says security expert Tom Walsh.
When the Department of Health and Human Services' Office for Civil rights issues an audit notice, "from that date on, any documentation you create doesn't count" in terms of evidence of compliance, Walsh notes.
"Policies need to reflect accurately what you're doing in your environment," he says in an interview with Information Security Media Group during the recent Healthcare Information and Management Systems Society privacy and security forum in Boston. "I tell clients, 'say what you do, do what you say.'
"A smaller, shorter policy that actually reflects your practices is better than downloading something off the Internet that looks impressive and states a lot of requirements [that] you're not doing. The main thing is to make sure it's accurate, because when they come out to do an audit, they do a three-step process."
Walsh calls that process, "the three Ps" - perception, policy and practice. "Perception" involves regulators interviewing different levels of management about various policies, such as passwords. Next, regulators will examine the organization's documented policies to see if they match up with what management described. "Then they'll get with a systems administrator and have them log onto a system and say, 'show me the requirements,'" he says. "In order to pass that criteria, all three of those P's have to match up."
Revised Audit Plans
OCR had planned to start up its next phase of HIPAA audits this fall, but the program has been delayed until the agency completes the rollout of technology that will enable the agency to collect documentation from audited entities via a Web portal, says Linda Sanches, an OCR senior adviser (see HIPAA Audits: Revised Game Plan).
Also, with a boost in funding, OCR will do more comprehensive on-site audits and fewer remote "desk audits" than originally planned, she says.
Before the next round of audits begin, OCR plans to update the HIPAA audit protocol that was released in 2012. In the meantime, however, Walsh suggests organizations should download the original protocol, which contains requirements for compliance with the HIPAA privacy, security and breach notification rules, to help guide them in their preparation for a possible audit.
In the interview, Walsh also discusses:
- What business associates need to know about HIPAA audits;
- What OCR looks for during a breach investigation;
- Advice for organizations faced with an HHS audit related to the HITECH Act "meaningful use" financial incentive program for electronic health records.
Walsh is founder and president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on risk management strategies. He has more than 22 years of information security experience. Walsh is also a frequent healthcare industry speaker, and is the authors of four books on healthcare information security.