Are you a family care practitioner? It's a common assumption that the Office for Civil Rights (OCR) only audits large medical practices, but this isn't necessarily true. While large practices are often targeted, smaller healthcare practices may also be audited. This is why it's important for family care practitioners to prepare themselves for HIPAA audits. Failure to do so could turn into a costly mistake that yields a violation and subsequent fine and corrective action.
Security Risk Analysis
Family care practitioners should conduct a thorough security risk analysis of their workplace to determine whether or not Protected Health Information (PHI) is at risk for disclosure. The good news is that conducting such an analysis should be relatively easy, assuming your practice is small. It involves analyzing systems and security measures which are used to protect sensitive PHI from unauthorized use or access. HIPAA requires all covered entities, including family care practitioners, to conduct thorough security risk analyses on a regular basis.
If your practice experienced a breach involving PHI or Electronic Protected Health Information (EPHI), you'll need to report it using the format set forth in the Breach Notification Rule. The OCR will likely check for breach notifications during its next round of audits. For more information on the HIPAA Breach Notification Rule, check out the official Department of Health and Human Services (HHS) website at http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
Of course, family care practitioners should also have privacy notices that explain to patients how their personal information will be used. Some doctors and healthcare practitioners overlook this step, assuming it's not necessary. But when they get audited, they realize this isn't the case. The OCR will check to make sure covered entities have privacy notices in place.
Business Associates Agreement
Assuming your family care practices works with other third-party organizations, you'll need to create the appropriate Business Associates Agreements (BAA). These documents are used to detail the type and way in which the third-party organization will access your practice's PHI.
These are just a few tips to help family care practitioners prepare for the next round of HIPAA audits. Above all else, though, familiarize yourself with the HIPAA Security, Privacy and Breach Notification Rules. These are three fundamental principles on which HIPAA was built, so complying with them is essential to passing an audit.