Here's Why You Should Do a HIPAA Audit

The Department of Health and Human Services' Office of Civil Rights (OCR) is increasing the number of random audits it is doing this year. While the chances that any one practice will be audited are low, if the OCR does decide that you’re the one, you won’t have long to get your act together. Depending on how long it takes OCR’s letter to reach you, you may have as little as a week to prepare.

Everyone in your office has had HIPAA training, all your patients sign a form acknowledging that they understand their rights, and you have a written privacy policy on file. With all of this, you’re in good shape and haven’t thought much about HIPAA regulations in ages. If that describes your attitude, it’s time to give privacy a little more thought.

“When HIPAA first came out, everyone was living and breathing HIPAA regulations,” said Erika Adler, a Chicago-area lawyer specializing in regulatory and transactional health-care law. “But after a few years, practices became complacent.” She says that is a dangerous attitude to have.

If you take the time to make sure you are on top of and up to date with HIPAA compliance, you won’t have to worry about getting that letter from OCR. You’ll be ready. “Have all your paperwork-policies, schedules of disclosures, etc.-ready and organized, and make sure everyone has had and signed off on annual training,” Adler said. The better organized your paperwork is, the less likely the auditors are going to ask to see more.

Even though risk assessments are required, most practices don’t do them regularly. The best approach to risk assessments is to have your own, ongoing risk assessment program tailored to your practice. “Many practices have online surveys and quizzes, Adler said. “The staff take them. If they don’t pass they have to re-take the HIPAA training.” These surveys can be good at finding weak spots, she said. Adler suggests changing the questions frequently and incorporating examples from the news, such as violations that have caught other practices. She also recommends regular walk-throughs to make sure you haven’t gotten sloppy about leaving patient information out or positioning computer screens where they can be easily seen.

Preparation for a visit from the OCR is not the only, or even the best, reason to do your own audit said John Meigs, president-elect of the American Academy of Family Physicians. “Patient privacy is a serious concern; it’s a good idea to do regular risk assessments and audits to make sure things aren’t falling through the cracks,” he said. “The medical profession has always been serious about protecting patient privacy, but these days with all the devices and gadgets that store patient data, we have to be even more careful.”

In our next post, we’ll give you some tips and suggestions on what to look for when you do your own audit and share some online resources that might be helpful.