HIPAA Audits: Documentation Is Key
Evidence of Compliance Efforts is Critical, Expert Stresses
August 24, 2011 - Howard Anderson, Executive Editor, HealthcareInfoSecurity.comHaving complete documentation of every aspect of your privacy and security strategy is the best way to prepare for a HIPAA audit, says consultant Cliff Baker.
If HIPAA compliance auditors discover an organization cannot produce adequate documentation, they'll suspect its compliance efforts are subpar, Baker says.
In an interview, Baker recommends that healthcare organizations have a long list of documents ready. Among those are:
- Security and privacy policies and procedures;
- A risk assessment and corrective action plan;
- An organizational chart outlining privacy and security responsibilities;
- A technology inventory, including all security tools used;
- Business associate agreements;
- An incident response plan; and
- HIPAA compliance training materials.
The Department of Health and Human Services' Office for Civil Rights has hired KPMG to launch HIPAA privacy and security rule compliance audits in the months ahead (see: McAndrew Explains HIPAA Audits).
Labels: HIPAA, planning, privacy, risk assessment