5 recommendations to prepare for a HIPAA audit
“We’re choosing to be proactive and have our documentation in a relatively ready state,” Dill told HealthcareInfoSecurity. “We’ve heard stories of early audits where boxes of paper were thrown at a regulator, and that will just annoy [HHS], which pays a large percentage of the revenue of many hospitals and providers.”
“You have an opportunity to develop a book of evidence … that’s the way to address the problem,” Dill added. He also suggests these five tips:
- Know what gaps are in your program in advance. The worst time to find out about problems are at the time of the audit, Dill said.
- Be organized. If you look disorganized, HHS will think you are disorganized, Dill said. In addition, you will be able to prevent an on-site audit if your documentation is of the highest quality.
- Display your results in the right format. Dill suggested using the OCR recommended format (800-30); Cleveland Clinic, he said, uses “an improved format based on the standard.”
- Use three-year benchmarks as “tabs in your book of evidence” for compliance and formal, organization-wide analysis. He suggests keeping a written calendar and schedule of business impact analysis.
- Partner with a reputable third-party consultant or firm. “Third party attestation can reveal at least 30 percent about what you don’t know, and peer comparisons give you a really clear picture,” Dill said.