If your company is regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), you will undergo regular audits. These are serious affairs, not to be taken lightly. In 2014, the Office for Civil Rights outlined a framework for phase 2 HIPAA compliance audits. These audits are much more rigorous that the original pilot audits of the previous years. So below, are some tips on preparing for a HIPAA compliance audit, when your company’s turn comes around.
Passing a HIPAA Compliance Audit is All About Good Governance
Most of the companies that fail a HIPAA audit, did so because they lacked a robust governance framework. Corporate governance, of a legislative standard, needs to be advocated by the C-suite. This cannot simply be delegate to somebody lower down the management chain. Governance needs to be under executive control. With clear responsibilities defined for whoever becomes the champion for corporate governance within the enterprise.
Know the Enemy
You cannot come at HIPAA compliance backwards. A full understanding and working knowledge of all of the policies and procedures that make up HIPAA regulatory requirements is vital. This will almost definitely mean that a working party needs to be established. One that can understand the legislative requirements in both technical and physical terms.
Don’t Try and Force a Square Peg in to a Round Hole
When it comes down to passing a HIPAA audit, the key word is compliance. This means that the business processes and operational policies need to comply with HIPAA requirements. Not the other way around. Preparing for a HIPAA audit by trying to interoperate the legislative requirements in a way most comfortable for the business, is simply wrong. The business needs to change to fit what HIPAA wants, vice versa.
Identify Data Silos
Make sure that the location of all data silos that fall under HIPAA regulation are accounted for. This includes not just business side data, but also external data. Any data stored or used by third party entities, will still fall under a HIPAA audit. Simply because it is not on site, does not mean it won’t be investigated at audit time.
Prepare the Workforce
In point one, the idea of top level management taking responsibility for HIPAA compliance was discussed. However, this does not mean that each person in the organization does not need to take responsibility for their own compliance. Do not stint on giving employees proper training in working in a compliant manner. It only takes one slip by a lower level employee, to have a compliance breeching result.
Consider Using Outside Help
If the enterprise lacks the internal skills to a) evaluate its current compliance position and b) develop a strategy to become compliant, then external experts might be needed. Of course, there is a cost attached to this. But a much lower cost than losing status as a HIPAA compliant business would be.
A HIPAA audit is a stressful process for any business to go through. Making sure that the company is fully prepared long before the audit makes sense. Put simply, if the company is aligned with HIPAA requirements, and already operating in a fully compliant manner, then it should have little to worry about.
For more information on how to prepare for a HIPAA compliance audit, download our HIPAA Compliance Guide.