Nothing sends shivers through an organization like the word audit! While your chances of getting an audit are very low, and your focus is always on safety, we thought it might be helpful to give you a quick 14 tips to help things go smoothly. HIPAA compliance is increasingly cumbersome and intrusive. Here are a few things to keep your practice prepared for future audits:
- Make certain your practice has the HIPAA Notice of Privacy Practices (NPP) prominently displayed in the waiting room. This is an easy requirement to reach, but also easy to overlook.
Should you ever be audited, this will be the first item the auditor will look for. - Annually, conduct a HIPAA Risk Assessment following the guidelines in cms.gov and www.hhs.gov/hipaa. Take action to close the gaps identified in the assessment and document action taken and when.
- Make certain that all Business Associates are accounted for (Make a List!) and verify that you have a copy readily at hand of all Business Associate Agreements.
- HIPAA-proof your office: turn PC’s away from prying eyes; do not leave paper records out where others can see them. Always have users log out of their PC if they leave their desk unattended.
- Train your staff: All staff including the Practitioners should have documented HIPAA training AT HIRE and ANNUALLY. Documentation in the form of a sign-in sheet should have dates, PRINTED names and titles as well as signatures.
- Make certain that your Policies & Procedures (P&P) address HIPAA rules and requirements and State laws. Remember to include Minimum Necessary rules, job descriptions for all staff by job duties, and that the HIPAA P&P’s are reviewed with staff annually.
- Access to PHI (Protected Health Information) in your office should be limited by job duties and roles and should say so in the job descriptions.
- Make certain that PHI is not accessed, altered or destroyed inappropriately.
- Appoint a HIPAA Compliance Officer and a HIPAA Security Officer.
- Conduct audits periodically and document what was audited and what actions were taken.
- Document all HIPAA activities: Remember, IF IT WAS NOT DOCUMENTED, IT DID NOT HAPPEN.
- HIPAA requires that you keep track of all releases of PHI for at least 6 years, and if the patient requests it, give the dates of these releases, the party released to and what PHI was released. Billing and Continuity of Care are routine releases and not required to be logged.
- If you are replacing Computers, FAX or photocopy equipment, remember to destroy the hard-drives, as these contain reproducible PHI.
- Lastly, your physician(s) should consider serving on hospital committees, such as Joint Commission readiness or Compliance. Do this to keep abreast of current issues and to compare notes with other physicians on pertinent issues.