HIPAA Compliance: Can You Fail an Audit?
Since the arrival of HIPAA privacy and security requirements in 1996, healthcare providers and covered Business Associates have scrambled to comply…but many of these organizations have yet to experience the true pressure of a formal HIPAA audit ordered by the HHS Office of Civil Rights, which administers HIPAA statutes.
While HIPAA audits may not be as regular as the rising sun, they do happen, and their frequency is gradually increasing. Learn more about the process (and protect yourself from phishing scams) by reviewing HHS HIPAA audit program information here.
In the meantime, keep these common issues in mind.
If we receive notice of an audit, how long will we have to prepare?
Not long. The HHS will allow about 10 to 14 days to get your documentation in order, which is not quite long enough for many organizations that are woefully unprepared, haven’t taken HIPPA compliance seriously, or have launched too recently to have the necessary documentation and privacy protections in place. The best protection against a panicked rush is simple: start now.
We won’t be audited because our organization is way too small.
Think twice; smaller organizations are actually more likely to be targeted by auditors, not less. There’s a reason for this: small medical practices tend to have more compliance problems and breach vulnerabilities that large health systems, and the same rule applies to Covered Entities versus Business Associates.
We are not a healthcare provider, only a Business Associate. Our hospital clients are likely to be audited, but not us.
Again, Business Associates are certainly reasonable targets for a HIPAA audit, and keep in mind that your Covered Entity clients may fail their audit if compliance gaps are found within your own systems. If your privacy protections are too flimsy, you may be penalized by HHS and ALSO lose clients.
We haven’t had a data incident, which means we haven’t sent up any red flags.
Recognized data breaches aren’t the only events that can draw attention and trigger an audit. Besides, you may have actually had data breaches, complaints, or issues arising before your current protocols were set in place. If you’ve ever experienced the loss or theft of an unencrypted device, this may sound an alarm and reveal signs of more serious data weaknesses.
Keep in mind that encryption, a high-level risk assessment (not just a checklist review), and a professional analysis of your data management systems are all less expensive than HIPAA penalties. Contact our team today to learn more.