HIPAA Audits
CMS performed recent reviews for HIPAA Covered Entities to verify compliance of "Security Standards for the Protection of Electronic Protected Health Information (ePHI)". After completing these reviews, they identified key compliance areas that practices struggle with:
- Encryption
- Workforce Clearance (ongoing background investigations on all people including vendors who have access to ePHI).
- Security Training
- Computer Security
- Risk Assessment
Know the importance of responding to an OCR pre-audit questionnaire and how to respond!
- Can you respond within the required 10 business days of receiving a questionnaire?
- Do you have a designated privacy official and a list of Business Associates your company uses?
- Have you done workforce training and do you have the proper documentation (federal and state) for proof?
These pre-audits are underway now! If you do not have a plan and documentation in place it will be too late once you get notification. The time is NOW to contact us to prepare you for these audits.
KNOW YOUR BUSINESS ASSOCIATES!!
Regulations consider outside professionals and companies that need access to health information to accomplish their tasks to be "business associates." Does the company or person performing or assisting in the performance of an activity or function involve the use or disclosure of protected health information (ePHI)? Does the business associate provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services that require the disclosure of ePHI by the covered entity? If so, a business associate contract is required.
Any cloud provider should sign a BA Agreement, and any reputable cloud provider should be able to pass a SOC 2 audit.
