Is your organization prepared for a HIPAA audit? If you aren’t or you’re not sure, you’re not alone. Many organizations aren’t prepared for an audit. This is even more concerning when you consider the fact that OCR audits are up 400% and there’s a 96% failure rate. The good news? We’re here to help. In this content series, we’re going to let you in on everything you need to know to make sure your organization is prepared. Keep reading to learn about the five simple steps your organization can take to pass a HIPAA audit.
What is a HIPAA audit?
Before we go any further, it’s critical to understand what a HIPAA audit is. According to the U.S. Department of Health & Human Services the goal of a HIPAA audit is to “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.” Every covered entity and business associate can be audited. This means that any organization can find themselves subject to an audit.
Why do organizations need to prepare for HIPAA audits?
Preparing for a HIPAA audit is important because if you do get audited and your organization is unprepared, you’re likely to fail. When you’re audited, you are expected to submit all documentation within 10 business days of receiving the request. In almost all cases, 10 business days is not enough time to gather all the information required to pass.
The consequences of this failure can slow down your business at best and completely end your businesses at worst. If you fail a HIPAA audit, there are a number of problems that you or members of your organization can face. These include:
There are four tiers of violations that carry fines. If your organization is reasonably unaware of a violation, the fine starts at $100 per violation. However, even in this first tier, you can be fined up to $25,000 per year. For the most serious of violations, you can be fined $50,000 per violation and up to 1.5 million dollars per year.
Corrective action plans
If your organization fails a HIPAA audit, you may be given a corrective action plan. Typically, this means that for a period of time, you’ll be under the strict supervision of the OCR. During this period, you’ll have to do all the work you should have already done to prepare for a HIPAA audit in the first place. You’ll be expected to assess your compliance and also create and organize all necessary documentation by a certain deadline.
The career impact of an audit failure shouldn’t be overlooked. First, a HIPAA violation can create serious mistrust with your patients and damage your business. This can also lead to termination of employment or future career opportunities being denied to workers. In rare, but very serious cases, HIPAA violations can also lead to jail time. Simply put, not preparing for a HIPAA audit can put the fate of your entire organization on the line. However, this risk and the stress that comes with it are both preventable.
When should your organization start preparing for an audit?
Your organization should start preparing for an audit as early as possible before you ever receive notice of a potential audit. Much like having your tax documents in order to be prepared for an IRS audit, the more prepared you are, the better. The truth is that making sure your organization is HIPAA compliant is an on-going process. Getting the right documents and plans in place won’t happen overnight. Preparing for a HIPAA audit well before it happens increases your chances of passing. (+ decreases the number of headaches you and your staff will experience while it happens).
How do you prepare for a HIPAA audit?
Preparing for a HIPAA audit may seem complicated but it doesn’t have to be. In this content series, we’ll cover 5 steps that your organization can take to prepare for a HIPAA audit. Here’s a quick look at what to expect
Step 1: Organizing
This post will cover why it’s important to organize and gather your documents before a HIPAA audit. We’ll share details on what documents you should collect and how to organize those documents properly.
Step 2: Risk Assessment
The next post will give you a crash course on risk assessment. This is a common point of failure for many organizations during a HIPAA audit. So, you can check out the post to learn how to create your own risk assessment and what to include.
Step 3: Implementing Risk Mitigation
Now that you’ll know what goes into a risk assessment, it’s time to take action. Our post on implementing risk mitigation will teach you how to form a plan to eliminate any vulnerabilities and how to document it. (Yes, this is also a document you’ll need in the event of an audit).
Step 4: Reviewing Agreements
Next, we’ll discuss reviewing agreements. To pass a HIPAA audit, covered entities and business associates must show that they have an agreement and lay out PHI safekeeping procedures. All entities must have the proper foundation to survive an audit of their own. If this seems overwhelming, don’t worry. We’ll walk you through it.
Step 5: Training
In the final part of this series, we’ll cover the training process. This may be the most critical step because many organizations lack proper HIPAA training. However, training shouldn’t be discounted. It allows you to broaden knowledge across your workforce and identify concerns quickly. When your staff understands HIPAA compliance, your organization will have a much easier road to compliance.
In this post, we gave you a sneak peek at the rest of our HIPAA audit content series. We hope that this has helped you understand how you can prepare your organization for an audit and set yourself up for success. Want to stay up to date on our HIPAA audit content series? Check out all our content, including new parts of the series by visiting our blog.
ABOUT THE AUTHOR
Mark Elliott is a Best-Selling Author and CEO. His company, 3i International, helps you apply technology to improve performance and compliance. For over 25 years, Mark has been helping startups to Fortune 500 companies overcome the technology challenges they face. He develops strategies to analyze, manage, and adapt to the ever-changing technology landscape. A central focus has been security and HIPAA compliance. His experience includes preventing, detecting, and responding to hackers and threats. This keeps your organization safe from invasions while simultaneously meeting regulatory compliance.