What: The Department of Health and Human Services conducts three types of audits or investigations involving privacy and security issues. But preparing for any of these inquiries requires similar steps. Experts who presented a workshop at the recent 2013 HIMSS Conference say the best way to prepare for any HHS inquiry, based on findings of investigations so far, is to: Conduct a thorough risk assessment; set clear security and privacy policies and procedures; train workers on privacy and security policies; document all security and privacy efforts; and know where to locate those documents if needed as evidence during an audit.
Why: Now, more than ever, it is important to have a compliance plan in place as well as an action plan in case your practice is investigated. For those who believe ‘it can’t happen me’, it is important to note that “some of the largest HIPAA penalties against organizations have been levied after OCR uncovered HIPAA non-compliance issues, such as the lack of timely risk assessment or insufficient employee training, while investigating small breaches.”