We’ve been talking and blogging about them for months…the forthcoming OCR HIPAA Desk Audits. It comes down to one thing…your program documentation.
When most CCOs, CPOs and CISOs we talk to think about documentation, they believe that they stand on solid ground re: the desk audit experience. They say, “We have worked really hard to improve our policies so we feel like we will do well if we are selected for audit.”
If you are thinking that the documentation that the OCR will ask for will be limited to your policies and procedures, you may want to think again. The OCR wants to explore and validate your program performance through your documentation. This means that the documents requested will likely be far more reaching than simply your policies and procedures. They will likely ask you to submit documentation that demonstrates that what you do in practice aligns with your organizational policies and procedures, and that the sum total of that documentation conforms to the requirements set forth in HIPAA.
What kinds of evidentiary documentation might they request? The document request may seek:
- Current ePHI data inventory
- Past years’ and current IT security risk assessments
- Past years’ and current IT security remediation action plans
- Sample business associate agreements
- Business Associate inventory
- Business Associate risk management plan
- Risk management committee meeting minutes
- HIPAA compliance reports and minutes from Board of Directors meetings
- Evidence of auditing and monitoring efforts – logs, summary reports, meeting minutes
- Breach risk assessment decision toolkit
- Sample breach risk assessment reports with varying outcomes
- Sample notification letters to affected individuals, media, information sharing partners
- Release of Information authorization form
- Uses and disclosures logs of all varieties (response to ROI requests, fundraising, marketing, personal representative, third parties, amendments to medical record)
- Past years’ and current workforce training program materials
- and the list goes on…
As we have led many audit readiness assessment and mock audit projects over the past few months, we have made our document request as ambitious and far-reaching as we think the OCR might get once its protocol is published. Our goal in these projects is to make sure that our clients’ documentation truly tells the story of their HIPAA compliance program and their intent to comply.
Does your HIPAA documentation portfolio tell your story? Set aside a meeting with your HIPAA stakeholder team. Do your own gap analysis. If that leaves you feeling uncertain, it might be worth having a readiness assessment or mock audit performed. It’s not too late to prepare and exercising your program is just a good idea regardless.
Read OCR’s announcement here: OCR’s HIPAA Audit Program Update