HIPAA Regulatory Alert

What can you expect when auditors arrive?

The initial notice of audit from the Department of Health and Human Services' Office for Civil Rights (OCR) asks for a significant amount of documentation and information to be submitted within 10 days of the notice date, but that will not be the end of information for which you'll be asked, says Mac McMillan, chief executive officer of CynergisTek, an information technology security consulting company, who advised a Texas hospital included in the initial audits.

"A pre-audit conference call is made a minimum of five days before the visit," explains McMillan. His client's audit occurred six weeks after the initial notice, but it could have been scheduled anytime during a 30-90 day period from the date of the notice, he says. During the conference call, additional documentation and a list of people with whom the auditors want to meet is provided. "The call is helpful because you can make sure your key people are onsite when the auditors arrive and prepared to meet with them," McMillan adds.

His client provided a conference room for the auditors to use during the visit and gave them guest privileges on the hospital's wireless network, he says. "The privacy and security officers cleared their schedules so they were available to the audit team the entire week," he explains. In addition to the privacy and security officers, make sure other administrative and medical staff leaders are aware of the audit and are prepared to meet with auditors, he suggests.

Auditors did walk around the facility, says McMillan. "Let your entire staff know the auditors will be onsite and that they may talk with employees at any time," he says. The walking tour and talks with employees are two ways the auditors can check to see if the hospital policies are communicated and understood by all employees.

Remember that an auditor's job is to uncover weaknesses, points out McMillan. "After you submit your initial documentation, you don't know if the auditors are going to audit your entire program or focus on specific areas," he says. They have the option of conducting the audit either way, he adds.

Immediately following the onsite visit, the hospital received an outline of audit results along with specific areas in the privacy and security rules in which the hospital was deficient, says McMillan. "This outline gives hospital leaders a good idea of what the final report will include," he says. "The hospital had 10 days to respond to the final report and provide any additional documentation that demonstrated compliance."