This entry is part 20 of 27 in the series HIPAA Audit Tips

It’s that time of year when we make lists about more physical activity, better eating habits, finding a new job, paying off debs, going back to school, etc. For those in healthcare (Covered Entities) or those serving the healthcare industry (Business Associates and their agents/subcontractors), it’s time to make some HIPAA-HITECH compliance resolutions. And, be better prepared for the continued rise in OCR Audits and Investigations. Here’s today’s big tip – Consider Making Your List of HIPAA – HITECH Compliance Resolutions, Starting with Our List!

HIPAA Audit Tips – Make Your 2013 Compliance Resolutions!

Nothing complicated here… It’s about getting back to basics:

  • Read two (2) recent OCR Settlement Agreements and Corrective Action Plans each quarter (see section entitled  “HIPAA and HITECH Enforcement and Legal Actions” )
  • Visit the HHS Breach Website (a.k.a. “Wall of Shame”) and search for your top three competitors each quarter; show your boss or board.
  • Complete that authentic HIPAA Security Risk Analysis you’ve been playing kick the can with for months.
  • Encrypt all mobile devices.
  • Call the C-suite before the OCR Director does; they should appreciate it the test exercise.
  • Double check that what you’re dong is reasonable and appropriate, by completing independent, third-party HIPAA Security, HIPAA Privacy and HITECH Breach Notification compliance gap assessments.
  • Memorize two important definitions found at 45 CFR §160.401 Definitions… “Reasonable Diligence” and “Willful Neglect” … and ask on what end of the spectrum  “Reasonably Diligence” and “Willfully Neglectful” your organizations falls.
    • “Reasonable diligence” means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
    • “Willful neglect” means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
  • Round up all your Business Associates and their agents/subcontractors and put them on notice (remember what Leon said) that you’re very serious about HIPAA-HITECH compliance; start a formal, organized Business Associate Management Program.

Proven HIPAA Audit Tips – Other Actions You Should Take Now to Prepare for OCR HIPAA Audits

We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:

  1. Establish a formal Privacy and Security Risk Management & Governance Program. (45 CFR § 164.308(a)(1))
  2. Complete a HIPAA Security Evaluation. (45 CFR § 164.308(a)(8))
  3. Complete a Privacy Rule compliance assessment. (45 CFR §164.530)
  4. Complete a Breach Rule compliance assessment. (45 CFR §164.400)
  5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  6. Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures. (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
  7. Document and act upon a corrective action plan.

Join the 250+ companies (both covered entities and business associates) that work with Clearwater Compliance. We can help your organization jump-start your HIPAA Compliance program.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please consider (all optional!):

Series Navigation<< HIPAA Audit Tips – Know What De-Identification of PHI Really MeansHIPAA Audit Tips – Providers and Health Plans Perform Poorly in HIPAA Audits >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.