HIPAA Regulatory Alert

Get these documents ready for an audit

Although there is no way to know exactly what documents you will be asked to provide in the initial HIPAA compliance audit notice from the Department of Health and Human Services' Office for Civil Rights (OCR) there are some items you can expect to see on the list, according to experts interviewed by HIPAA Regulatory Alert:

• all policies related to compliance with HITECH privacy and security requirements;

• documentation of risk analysis for the organizations;

• business associate agreements and documentation of provider management;

• HIPAA training program for employees;

• names of compliance officers along with organizational chart for the provider;

• demographic information about the hospital, the patient population, and the medical staff.

Some of the documents you should also be prepared to provide include:

• List of terminated employees as well as new hires.

"This list will be used by the auditors to see how well you disable access for terminated employees and control access to protected health information for new employees," explains Mac McMillan, chief executive officer of CynergisTek, an information technology security consulting company, who advised a Texas hospital included in the initial audits. Although you might have a policy that describes the process, this list will give auditors an opportunity to see if your actual practice follows the policy.

• Proof of employee training on privacy and security requirements.

Having a HIPAA training program and proving that employees receive the training are different things, points out Adam Greene, partner at the Washington, DC, law firm of Davis Wright Tremaine. Your documentation should describe the content of the training program, who provides the training, and how you ensure that all employees are trained, he adds.

• List of complaints related to privacy.

Be prepared to share a list of complaints you've received from patients, family members, or employees about data privacy or security issues, says Greene. Documentation should include the complaint, who handled it, how it was handled, and how it was resolved.

There are also some documents you should choose to include, suggests Greene.

• Description of your best practices.

"The audit contract calls for identification of best practices, so if you know you have an effective poster campaign or HIPAA hotline, provide documentation of the program's success," suggests Greene.

• Improvement plans related to privacy and security.

Almost all risk analyses result in identification of areas that can be improved, points out Greene. "If you know you have a weakness, don't try to hide it and hope the auditors don't notice," he says. "Provide documentation of a plan to address a non-compliant area, show that you have prioritized the issues, and provide the results of evaluations of your efforts to come into compliance."