If you have been in the Health IT (HIT) space for any length of time, you will remember when Atlanta’s Piedmont Hospital was audited for HIPAA compliance back in March of 2007. Fast forward to our era of Meaningful Use. Health and Human Services (HHS) has announced a new round of HIPAA audits for those practices which have received meaningful use funding. HHS expects to audit about ten percent of meaningful use participants.
How can you prepare your practice for an audit? The first step is to conduct a standards-based risk assessment. Incidentally, a risk assessment is also the first step required by the HIPAA security rule and is also core item 15 in meaningful use stage one. Completing a risk assessment will give you a prioritized list of items to address.
Once you have completed your risk assessment and begun remediation, going through a mock audit is a useful exercise. It will help you prepare answers in advance and ensure all your policies are easily located. Here are a few of the questions and items HHS asked Piedmont Hospital to answer or provide during their audit:
1. Establish and terminate user access to electronic protected health information (ePHI)
2. Inactive session time out
3. Employee violations and sanctions
4. Risk assessment results
5. Password management
6. Firewall, router, and switch configuration
7. System, network, and device monitoring
8. Regular reviewing of system activity, audit logs, and access reports
9. Antivirus and patch management
10. Wireless security configuration
11. Provide a list of systems that house ePHI
12. Provide a list of recently terminated employees and new hires
13. Provide a list of encryption algorithms.
14. Provide a list of outsourced contractors with access to ePHI.
HITECH, the act that brought you meaningful use, also amended HIPAA law. The HITECH amendments increased the maximum fine for willful negligence to $1.5 million. If your practice is participating in the meaningful use program, it’s time to get serious about security. If you have questions about security compliance, risk assessments, or audits, please feel free to contact us at email@example.com. We look forward to hearing from you.