It’s one thing to prepare your organization with a solid defense against a potential privacy breach. Add in an HHS/OCR audit or investigation, and it becomes crucial that organizations take the necessary steps to comply with the HIPAA Privacy, Security, and Breach Notification rules. 

Mahmood Sher-Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar and Associates, outline 10 tips for preparing for an OCR audit. 

1. Learn your compliance status. This goes for both HIPAA privacy and security rules and the interim final breach notification rule. According to Sher-Jan and Apgar, every covered entity should gain a full understanding of its compliance and gaps with these rules. Conducting an evaluation or gap analysis of HIPAA privacy, security, and breach notification requirements, they said, is the logical starting point. And, don’t forget about your business associates, since they can pose a “significant risk” as well. Remember, they warned, that the HIPPA security and privacy rules have been with us for several years, and the interim final breach notification rule was effective September 2009.

2. Create a centralized management system for your documents. Current and accurate documentation that is easily accessible is key, said Sher-Jan and Apgar.  It’s essential to compliance and provides protection against significant legal risk. This includes policies, procedures, risk analyses reports, training records and other related compliance activities. 

3. Develop a compliance plan. Your plan should prioritize high to low risk compliance gaps and assign resources to close compliance gaps. According to Sher-Jan and Apgar, the gap analysis, defined in the first point, should be used to develop a plan of action, drive organizational alignment and allocate the resources necessary to execute the compliance action plan. Keep in mind, though, that surviving an audit or investigation is not about making sure that now gaps are found – however, said Sher-Jan and Apgar, it’s critical you demonstrate a credible remediation/action plan and evidence of execution toward bridging the gaps. In other words, you need to show a commitment to 'culture of compliance’ and demonstrate due diligence.

4. Prepare and implement HIPAA policies and procedures. According to Sher-Jan and Apgar, organizations must have policies and procedures in place that help them protect the confidentiality, integrity, and availability of protected health information. Once again, they said, the map analysis will identify if any policies and procedures are missing or need to be updated in light of evolving regulations and use of new technologies and social media within the healthcare industry. And keep in mind, your highest security risk, they said, is people, and policies and procedures are key to mitigating that risk. You also need to demonstrate that policies, procedures, and processes followed by your organization are reviewed on a regular basis and are current, accurate, and enforceable, they advised.

5. Create an incident response plan. An incident response plan, or IRP, is a critical element in planning for compliance and protecting PHI, said Sher-Jan and Apgar. According to them, the IRP provides an overall strategy for how covered entities will react to a patient and/or security incident and comply with the federal interim breach notification rule’s burden of proof provision. They added it’s important to demonstrate you have an incident response team, plan, and procedures that will ensure a consistent and timely response to any incident. “Remember, a breach is ‘discovered’ when you know about it or should have known about it,” said Apgar. “This means if you’re not compliant, you may not know about breaches of PHI in time to meet your legal notification requirements.”

Continued on the next page.