Health Law Blog - Healthcare Legal Issues

OCR HIPAA Audit Resources For Healthcare Providers

 HIPAA Audit Resources for OCR Audit of Health Care Providers

 HIPAA Information For Covered Entities

 HIPAA Audit Protocol

 Office of Civil Rights (OCR) HIPAA Notification Page

HIPAA New Archives

Patient Safety Confidentiality (PSQIA)

Sample Business Associates Contract

 Things To Do Before a HIPAA Audit is announced

Before you even have notice that you may be the subject of a HIPAA audits, you should be certain that your HIPAA “ducks” are in a row.  Taking last minute action when an audit is announced will not be nearly as effective as demonstrating that you have had a long term committment to HIPAA compliance.  Here are a few things that you should do now, before you are the subject of an audit.  This list is not meant to me all inclusive.

  • Review all policies and procedures that are required in order to comply with HIPAA. Consider an external review by an independent party.
  • Document a plan of correction if deficiencies are identified and document the correction process.
  • Designate departmental individuals who are responsible for HIPAA issues and prepare them to address the process of implementation in their area of responsibility.
  • Conduct a thourough risk analysis in accordance with OCR risk assessment guidance (referenced below).
  • Assure that your compliance training program is up to date and that employees have signed off on receiving required training.  Corret any discovered deficiencies in training.
  • Audit every outside vendor and contracting party and make certain that there is an appropriate Business Associates Agreement in place.

Major Issues Arising In First Round of HIPAA Audits

  • Patient record request review process, specifically denial process;
  • Providers failing to provide patients with access to their records;
  • Insufficient or non-existant policies and procedures;
  • Inproper use of information relating to decedents;
  • Disclosure of intformation to personal representatives;
  • Risk Assessment process; and
  • Difficulties with Business Associate Agreements.

HIPAA’s Security Rule requires that covered entities periodically conduct a risk analysis.  The OCR has issued guidance on conducting such an analysis.  In the event of an audit, the results of your audit are likely to be requested. A review of your HIPAA policies should be conducted on an annual basis.  Any deficiencies should be identified and addressed in a corrective action plan.  Carefully document your review and the process you use to correct any identified deficiencies.  OCR Audist Guidelines

Random Posts


Tags: , , ,

Comments are closed.

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.