HIPAA Audits Need Documentation
Keeping risk assessment documentation and other compliance evidence in a centralized repository is a good way to prepare for any HIPAA audit or investigation.
Office for Civil Rights (OCR) officials have said aÂ permanent HIPAA security audit program is expected to begin sometime after the start of fiscal 2014 on Oct. 1; it will include business associates as well as covered entities. Under theÂ HIPAA Omnibus Rule, business associates are directly liable for HIPAA compliance. Of the 115 covered entities audited in last yearâ€™s pilot program, two-thirds had non-existent or inaccurate risk assessments, OCR officials have said.
In addition to random HIPAA audits, OCR often also evaluates the status of organizationsâ€™ HIPAA compliance as part of the officeâ€™s data breach investigations.
It is recommended to create a centralized documentation repository that builds a book of evidence based on what other organizations have been asked for in HIPAA security audits and other OCR investigations. You should document all your risk management decisions and make that part of your document repository.
To assist with documentation, you may use Microsoft Office Suite, SharePoint, and the full version of Adobe Acrobat so that you can bookmark. That practice can help put all important details and evidence in a easy-to-retrieve format that wonâ€™t break the bank.
Documentation related to an organizations risk analysis is important considering that the initial round ofÂ HIPAA complianceÂ audits conducted in the pilot program showed that many covered entities do a poor job conducting thorough and timelyÂ risk assessments.