In the year 2016, the Department of Health and Human Services made over 5,000 HIPAA audits which resulted in the earnings of 56 billion dollars. The HHS is thought to only increase the number of audits under the current administration. Is your organization prepared for an inevitable HIPAA audit? The majority of organizations are not ready for this extensive audit, which can cost millions of dollars in fines.
The life insurance company, MAPFRE, was not properly equipped with HIPAA compliance standards. On January 18th, 2017, the HHS announced a settlement with MAPFRE of 2.2 million dollars over the loss of a USB device that had sensitive data of 2,209 individuals. This fine was paired with a promise to implement a corrective action plan.
In fact, in our time working in the healthcare sector, our compliance experts have found that one in four healthcare organizations are not HIPAA compliant. Many of these organizations only uphold a privacy practice notice.
The HHS determined there was not a comprehensive risk assessment done for the MAPFRE incident, as well as no risk management plans and policies, no data encryption and other corrective measures for risk were missing in this case. Would they find that would be the case for your organization if they were to implement an audit tomorrow?
To best ready your organization for a HIPAA audit, you will need to perform a risk assessment of your HIPAA vulnerabilities. Go over your security, privacy, and breach compliance regulations with a fine tooth comb and compare them with your organizations current compliance strategy. All potential risks to PHI needs to be checked and then documented as well as all of your current methods used to address any risks that were identified. On the HHS website there is information for organizations of all sizes on how to perform a proper security assessment.
If you are selected for an audit, be prepared for a full document check. It is important that the HHS see evidence of all procedures in place to remain in compliance, and the way this is checked is through documentation. Be sure to be as detailed as possible and able to hand over these reports to the HHS quickly.
With every organizational change, so must your policies and procedures. Being ready for a HIPAA audit isn’t a one time job. Regular reassessment and documentation is crucial to passing a HIPAA audit. To ensure that this security assessment meets the standards of HIPAA we recommend seeking outside help from security experts on the cybersecurity features necessary for your organization.
When preparing for an audit it is important to not get too wrapped up in the technical safeguards and to also focus on the requirements for your staff. Regular training and enforcement of good practices should be a part of your organizations compliance plan at all times.
Avoid the risk of security breaches, staff mistakes, and violations by speaking with the Crossroads compliance team. We have worked for over 20 years in the healthcare industry helping organizations to become HIPAA compliant. Contact us below to learn more about what it will take to prepare for a HIPAA audit.