AHIMA Issues Updated HIPAA Compliance Audit Toolkit

With Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits now well underway, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit.

Late last year, covered bodies were selected for desk audits and the initial round of audits have now been finished. Now OCR has moved on to auditing business associates of covered bodies.

At HIMSS17, OCR’s Deven McGraw outlined that the full compliance audits, which were scheduled in for Q1, 2017, are to be delayed. This gives covered entities more time to get ready.

The phase 2 HIPAA compliance desk audits were more completed with much more detail than the first phase of audits carried in 2011/2012. The desk audits covered a broad variety of requirements of the HIPAA Privacy, Security, and Breach Notification Rules. However, they only consisted of a documentation check to demonstrate that bodies were in compliance.

The onsite audits will be much deeper in nature and will look much thoroughly into organizations’ compliance programs. Along with being required to show auditors documentation demonstrating compliance with HIPAA Rules covered entities will need to display evidence of HIPAA in action to the OCR.

In order to assist with preparing for the audit process, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit. This audit readiness toolkit can be used by covered entities to assess their compliance efforts and deduce whether they have all the the required documentation, policies, and procedures in place to meet all Health Insurance Portability and Accountability Act standards.

The new toolkit describes the legal process of the HIPAA compliance audit program, OCR processes, and now incorporates the new HIPAA audit protocol utilised by OCR in the second phase of the compliance audits.

The new toolkit includes HIPAA compliance checklists covering policies, procedures, and documentation that is likely to be sought by Office for Civil Rights auditors, along with a master policy template for the privacy and security rule compliance program.

AHIMA has also included advice and best practices that can be put in place by HIPAA-covered entities and their business associates to help them adhere to all of their responsibilities along with an HIPAA audit preparation guide.

AHIMA members can obtain the HIPAA audit readiness toolkit free of charge in the HIM Body of Knowledge section of the AHIMA website or through its onlin store.

The onsite audits may have be behind schedule, but covered entities should make sure they are ready for an audit. Should the audits slip into 2018 as hinted by McGraw, OCR still looks into all breaches of more than 500 records. In the event of a data breach, OCR will seek evidence of compliance with HIPAA Rules and heavy fines await organizations found not to have adhered with the HIPAA Privacy, Security and Breach Notification Rules.