In an article published by Lexology, Steven Grigas and Elizabeth F. Hodge, offer additional insight for a Phase 2 HHS audit in the 1st Quarter of 2017.
They suggest six items to do in preparation:
Perform a self-assessment and risk analysis of existing security and privacy measures.
Review existing risk management plans and protocols. Ensure that they are up to date and fully documented. If it is not documented – it never happened.
Organize all current and past HIPAA related documentation.
Review, update, and document personnel records to ensure that staff has completed necessary HIPAA training. If it is not documented – it never happened.
Review the published audit protocols of OCR to ensure readiness for the audit.
Review prior OCR alerts and advisories to ensure your current and prior practices are compliant.
Update and organize your listing of Business Associates (BA) and Business Associate Agreements (BAA). If you are a Business Associate ensure that existing protocols under your BAA are documented and compliant with HIPAA standards.
Institute a plan and structure for the on-site audit, including:
Select which of your employees will participate in the audit;
Select site/work area for auditors to use;
Review and discuss operational aspects with participants and leadership;
Drill down on specific areas of weakness; and
Discuss ways to respond if raised by audit staff.
Click here to read the full article and learn more about the Phase 2 Audits. An ounce of prevention is worth a pound of cure.
Contact ACES Medical for your independent IT security review and HIPAA preparation.