HIPAA Audits Need Documentation
Keeping risk assessment documentation and other compliance evidence in a centralized repository is a good way to prepare for any HIPAA audit or investigation.
Office for Civil Rights (OCR) officials have said a permanent HIPAA security audit program will include business associates as well as covered entities. Under the HIPAA Omnibus Rule, business associates are directly liable for HIPAA compliance.
Of the 115 covered entities audited in the pilot program, two-thirds had non-existent or inaccurate risk assessments, OCR officials have said.
In addition to random HIPAA audits, OCR often also evaluates the status of organizations' HIPAA compliance as part of the office's data breach investigations.
It is recommended to create a centralized documentation repository that builds a book of evidence based on what other organizations have been asked for in HIPAA security audits and other OCR investigations. You should document all your risk management decisions and make that part of your document repository.
Documentation related to an organization’s risk analysis is important considering that the initial round of HIPAA compliance audits conducted in the pilot program showed that many covered entities do a poor job conducting thorough and timely risk assessments.
Contact HCSI to discuss documenting your risk assessment in your Compliance Plans Manual, and your audit readiness.