HIPAA
Audits Need Documentation
Keeping
risk assessment documentation and other compliance evidence in a centralized
repository is a good way to prepare for any HIPAA audit or investigation.
Office
for Civil Rights (OCR) officials have said a permanent HIPAA security
audit program will
include business associates as well as covered entities. Under the HIPAA
Omnibus Rule, business associates are directly liable for HIPAA compliance.
Of
the 115 covered entities audited in the pilot program, two-thirds had
non-existent or inaccurate risk assessments, OCR officials have said.
In
addition to random HIPAA audits, OCR often also evaluates the status of
organizations' HIPAA compliance as part of the office's data breach
investigations.
It
is recommended to create a centralized documentation repository that builds a
book of evidence based on what other organizations have been asked for in HIPAA
security audits and other OCR investigations. You should document all your risk
management decisions and make that part of your document repository.
Documentation
related to an organization’s risk analysis is important considering that the
initial round of HIPAA compliance audits conducted in the pilot
program showed that many covered entities do a poor job conducting thorough and
timely risk assessments.
Contact HCSI to discuss documenting your risk assessment in your Compliance Plans Manual, and your audit readiness.
No comments:
Post a Comment