Preparing for the Return of HIPAA Audits in 2024: Steps to Success

Facebook
Twitter
LinkedIn

That’s right, they’re back! 

The Office for Civil Rights (OCR) audits you hoped were a thing of the past—having been discontinued since 2017—are returning. All covered entities will be subject to these HIPAA audits, and they are due to start any day now.  

What does that mean for you as a compliance officer? If you’ve been hoping you could keep sneaking by with incomplete compliance, that time is past. The OCR is showing that they are serious about enforcement and ramping up their efforts to ensure PHI (and patient rights) are protected. 

It’s time to get your ducks in a row and ensure not only your compliance tasks but your records are in order.  

Today, we’re digging in to how exactly you can get started, and where your biggest areas of concern should be as HIPAA audits are impending. 

Want to dive right in? We’ve built you an audit readiness cheat sheet to help you stay on track through this process. Click here to download it now: 

What do we know about the return of HIPAA audits?   

In February, the OCR officially announced that audits would be returning, with Melanie Fontes Rainer, OCR director, stating, “OCR intends to initiate audits of HIPAA-regulated entities later this year.” 

Recently, the OCR has sent surveys out to covered entities that were audited in 2016 and 2017, the last time that HIPAA audits were regularly performed. The website page addressing the audits on the OCR website has also been updated. This level of activity leads us to believe that the return of audits is imminent, certainly before the end of 2024. 

All covered entities will be subject to these random HIPAA audits according to the OCR, with the potential to trigger corrective action plans or investigations for those found deficient.  

And, if your organization is selected for an audit, you will only have 10 days to supply necessary documentation to the OCR, including policies, BAAs, proof of training, and more. There simply won’t be time to become audit-ready if you aren’t already. That’s why it’s critical to begin preparing for audits now. 

How to Become Audit-Ready 

You may not be able to know if or when you’ll be audited, but you can get audit ready in the meantime and feel confident that your organization will pass an audit with flying colors.  

While the audit protocol is extensive, you can build a strong foundation by ensuring your compliance program is organized, centralized, and up to date.  

The Security Risk Analysis 

One of the most common citations when random HIPAA audits were last regularly performed by the OCR was the lack of a complete and thorough Security Risk Analysis.  

It makes sense: the SRA is foundational to your entire compliance program and can help you identify organizational risks and areas for improvement. You simply can’t ensure HIPAA compliance unless you are aware of risks to PHI. 

Unfortunately, there are many common misconceptions about what qualifies as “complete and thorough” when it comes to the SRA requirement. A self-assessment questionnaire, checklist, or survey you find online—even the ONC SRA tool — will not pass muster during an OCR audit. Ultimately, a questionnaire simply can’t complete an SRA. 

Even if you are confident in the quality and scope of your most recent SRA, timing is critical. While HIPAA does not specify the required frequency of SRAs, you can be sure that you will be cited if you haven’t had an SRA completed in the last two years, or since any major security updates, like moving physical locations or shifting to a new EMR.  

If it’s been a while, the SRA is the best place to start preparing for an audit. 

Policies 

Once you’ve built a strong foundation with an SRA, the next foundational step is to review your policies. Policies form the backbone of your HIPAA compliance program, outlining the rules and regulations that your procedures and training will put into action. 

You might think you’ve got policies covered, but before you skip ahead, consider a policy review to ensure audit readiness. With the rapid pace of regulatory change we have seen recently, it is more important than ever to regularly review your policies to ensure compliance with the current regulations.  

In the case of very recent regulatory changes, it is up to the individual auditor to decide which version of the regulation they will accept compliance with, so it’s always best to be compliant with the most recent version just in case. (Not to mention this is the best way to avoid organizational risk, investigations, and patient complaints.) 

The other factor we have seen auditors focus on when it comes to policies is specificity. More than just recitations of the regulations, your policies should be specific to your organization. 

Policy review is so critical to compliance that every HIPAAtrek customer receives a tailored policy review as a part of our onboarding process. Click here to learn more. 

Finally, ensure that your policies are stored centrally, so that not only your compliance officer but your entire organization has easy access to the most recent version of policies and procedures.  

Remember, policies are one of those items you will have 10 days to produce in the case of an audit—be sure you can locate them at any time. 

Training 

The next step to creating compliance, and one that will be investigated in the case of an audit from the OCR, is HIPAA training. As a compliance officer, you know that training is what truly creates compliance in action.  

In case of an audit, the OCR will look for training documentation including:   

  • The name of the training,  
  • A description of what the training covered,  
  • The date the training was completed, and  
  • Who took the training, including authentication for each person completing training.    

Note: in the HIPAAtrek platform, we use a time and date stamp that functions as electronic authentication. 

Of course, consistent and effective training is about so much more than meeting HIPAA requirements—HIPAA is a civil right, and members of your team have a responsibility to protect PHI.  

Instead of seeing training as an annual requirement to check a box, training should be done as needed for your organization. New hires need to be trained on HIPAA, but employees also need training when their job responsibilities change or when policies and procedures change.  

Generic HIPAA training won’t pass muster, so be sure training is specific to your organization, specific to your policies and procedures, and specific to the role you are training. At HIPAAtrek, for instance, our built-in training videos directly reflect the content in our policy templates, ensuring they meet the training requirement under HIPAA. 

And don’t forget Security Reminders! Required by the Security Rule, security reminders are an opportunity to keep HIPAA training top-of-mind and should be tailored to the needs of your organization, critical issues that come up, or repeat incidents you need to quickly correct. 

Business Associate Agreements

Your Business Associate Agreements are the next step of audit preparedness, and one of the ones we see the biggest concern about when it comes to that 10-day deadline. 

So many Covered Entities keep their BAAs managed by different departments, or just stored in different locations across the organization. Now is the time to centralize and organize your BAAs to be sure you can produce them in a timely manner if an audit comes up. 

Not only is centralized storage critical in case of an audit, but it gives you, as a compliance officer, access to review these contracts to ensure compliance.  

Storing and managing BAAs across departments makes it difficult to know which BAAs are currently active and challenging to ensure that BAAs are reviewed periodically. This increases organizational risk. 

Decentralized BAAs increase the risk of inconsistent due diligence with Business Associates, overlooking out of date contracts, and even missing required BAAs entirely.  

Getting your BAAs audit-ready means you should start by storing your BAAs in a centralized location that key stakeholders have access to, and then begin a BAA review process to ensure these contracts are up to date.  

HIPAAtrek Can Help with HIPAA Audit Preparedness 

At HIPAAtrek, we work with compliance officers like you every day to help them find confidence in their compliance—and that means audit readiness!  

Our platform has built-in policy and BAA templates, plus systems to edit, review, execute, and organize these important documents. In fact, our onboarding process includes the policy review you need to ensure policies are up to date with the latest regulations. 

HIPAAtrek’s built-in training videos are short, digestible, and role specific, and security reminders can be scheduled to be sent regularly. Plus, the required documentation you’ll need in the case of an audit all happens automatically. 

And our consulting team regularly completes SRAs that truly pass muster at the OCR, and would be happy to help you, too.   

An Auditable Trail of Compliance 

The common denominator you’ll see in each of the audit preparedness steps we’ve outlined above? Documentation. In the case of an audit, the OCR will expect to see not only completed documents, but version history; not only training available but proof of completion.  

In fact, each step of compliance you complete comes together to build a trail that proves your compliance. And in the HIPAAtrek platform, documentation is built in every step of the way, so you always know that trail is growing behind you. 

Our platform automatically tracks document version history for 10 years, records security reminders sent and opened, and tracks training completion including quizzes and results as applicable. 

Click here to learn more about using HIPAAtrek to prepare for an audit.

Are you ready for the return of OCR HIPAA audits?  

While you may have dreaded the return of OCR HIPAA audits, the process of audit readiness is really just the process of building HIPAA compliance.  

From the foundation of the SRA to organizing and centralizing documentation, and training your team, each of these steps is a HIPAA best practice. Audit readiness doesn’t just mean you’re ready to be inspected by the OCR—it means your organization is truly protected from risks of fines, investigations, and patient complaints.  

Ready to review these top steps to success? Don’t forget to download our audit readiness cheat sheet to help you stay on track. Click here to download it now: 

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like