Solutions

Solutions powered by
Learn More.
abaqis for Skilled Nursing

abaqis®

Mitigate risk and elevate your quality of care. Improving both clinical and business outcomes starts with a smarter, more integrated approach to regulatory training, continuing education and quality management.

Learn More

NEW TO THE STORE

hStream Content Marketplace

NurseGrid Learn

Online store for Clinical Learners. Individual CE Credit and industry products for Clinical Learners are now available through NurseGrid Learn (Beta). Explore our robust collection of courses that provides an unparalleled level of flexibility and choice.

DEA MATE Opioid and Substance Use for Practitioners

Meet the DEA's new requirement under the Medication Access and Training Expansion (MATE) Act in an online and self-paced 8-hour DEA MATE Act course specifically designed for practitioners, including Physicians, PAs, NPs, Pharmacists, Dentists and others.

LATEST & POPULAR

BLOG

Nurse Strikes are Scary, but License Verification Doesn’t Have to be
BLOG

Mind Matters: The Interplay of Staff Wellness in Quality Outcomes
BLOG

Unlocking Revenue in Healthcare: The Power of Efficient Credentialing
On-Demand Webinar

Understanding ENA’s Emergency Severity Index Handbook, 5th Edition
On-Demand Webinar

From Regulations to Realities: Nurse Staffing, Unions, and the ShiftWizard Advantage
On-Demand Webinar

myClinicalExchange Empowers Logan Health to Transform Student Onboarding

< HealthStream Resources

HIPAA Audits: The Proof Is in the Process

April 1, 2021
April 1, 2021

This blog post is taken from a recent Webinar featuring Marti Arvin, Vice President of Audit Strategy at CynergisTek.

A cornerstone of auditing HIPAA compliance is the existence of a clear and established process. If you haven’t done so recently, consider revisiting your process for auditing employee access to PHI. OCR requires you to demonstrate you have a strong process that assures prompt investigation and notification in no more than 60 days after the discovery of inappropriate access. You must document not only your findings, but also your process for conducting the audit. You will be expected to demonstrate a labor-intensive auditing process, unless you have technology tools to assist you.

Making Tough Choices

I often hear, “We don’t have money to buy that technology or software. We don’t have money to hire the people to do this.” That will never be an adequate explanation for OCR. You’re in the healthcare business, and under current regulations, there is an expectation you will do what is necessary to protect the data of the individual. Organizations must make the technology and administrative choices necessary to mitigate their risks. The technology and staffing I used at UCLA may not be the same as yours. What’s important is the result.

For example, you may have established a process that routinely reviews the volume of records reviewed by employees. If Marti normally has access to 50 patient records a day, and suddenly she’s looking at 200 records a day, why is that? Did Marti have an assigned special project she was working on, or was she doing something else? Was she doing something nefarious? Was she selling patients’ identities or allowing someone else to steal identities? You must have a structured process for auditing employee access.

When your audit process identifies anomalies, ensure you investigate them promptly and thoroughly. The review must determine whether the anomaly is harmless and appropriate, providing the reasons why, or whether it’s an inappropriate anomaly that must be reported. Your process should be ongoing and repeated as needed.

Risk Analysis

You must also perform a periodic risk analysis. How often is often enough? The industry standard is at least once every three years, and I recommend this as a minimum. The OCR phase two audit process includes a security provision requesting that organizations provide them with both the prior and most recent risk assessments. They want to examine the time frame between issues you identified in the prior assessment and in the most recent. They want to see evidence you have mitigated any identified risk or evidence the mitigation is well underway.

You may think, for example, people transferring PHI to a thumb drive is a threat to your organization. One solution might be installing software that encrypts anything transferred to a thumb drive. Alternatively, you may disable USB drives so no one can download data to a thumb drive. Those are two very different but acceptable ways of handling the same issue. In either case, you’ll be expected to repeat the risk analysis to evaluate whether your remediation is working and to address any new risks to the environment.

If you make the tough choices, you can sleep well, knowing you have a solid process for assuring HIPAA compliance.

Watch the full Webinar here.