Top 10 Questions Most Organizations Fail During a HIPAA Audit
Forget about a full-blown HIPAA audit with over 192 questions for covered entities (CE’s), most organizations fail and are considered out of compliance within the first 10 questions.
HIPAA in the past few years has become the latest 5 letter bad word in the healthcare industry. With confusing terminology and enormous fines, non-compliance can be more than a financial setback, you could end up in prison.
So how does your organization stack up? We’ve included 10 questions from the HIPAA Security Rule for you to perform a partial self-audit and see for yourself.
|10 Questions from the HIPAA Security Rule|
|Section||Key Activity||Audit Procedures||Implementation||Your Answer|
|§164.308||Conduct Risk Assessment||Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.||Required||YES/NO|
|§164.308||Implement a Risk Management Program||Inquire of management as to whether current security measures are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).||Required||YES/NO|
|§164.308||Select a Security Official To Be Assigned Responsibility for HIPAA Security||Inquire of management as to whether the organization has assigned responsibility for the HIPAA security to a Security Official to oversee the development, implementation, monitoring, and communication of security policies and procedures.||Required||YES/NO|
|§164.308||Develop and Implement Procedures to Respond to and Report Security Incidents||Inquire of management as to whether there are formal or informal policies and/or procedures in place for identifying, responding to, reporting, and mitigating security incidents.||Required||YES/NO|
|§164.308||Develop Contingency Planning Policy||Inquire of management as to whether a formal contingency plan with defined objectives exists.||Required||YES/NO|
|§164.308||Data Backup Plan and Disaster Recovery Plan||Inquire of management as to whether disaster recovery and data backup plans exist to restore any lost data.||Required||YES/NO|
|§164.308||Encryption and Decryption||Inquire of management as to whether an encryption mechanism is in place to protect ePHI.||Addressable||YES/NO|
|§164.308||Implement Methods for Final Disposal of ePHI||Inquire of management as to how the disposal of hardware, software, and ePHI data is managed.||Required||YES/NO|
|§164.308||Develop and Implement an Emergency Mode Operation Plan||Inquire of management as to whether policy and procedures exist to enable the continuation of critical business processes that protect the security of ePHI while operating in emergency mode.||Required||YES/NO|
|§164.308||Develop Recovery Strategy||Inquire of management as to whether procedures exist for recovering documents from emergency or disastrous events.||Required||YES/NO|
If you were able to answer yes to each one of these questions, congratulations you’re well on your way to being compliant with the latest changes in the HIPAA laws but if you answered no to just one of these questions, then your organization is considered out of compliance and could possibly face fines of up to $1.5 million and possible jail time. If you noticed, each one of the questions by the auditors is addressed to management and it’s critical that HIPAA compliance becomes a top priority within your organization.
We don’t want you to take our word for it, take a look at some of the latest enforcement actions that have been levied on those for non-compliance.