The concept of an audit is nothing new to companies that are subject to Sarbanes-Oxley, but it may be relatively new to organizations subject to the Health Insurance Portability and Accountability Act -- because until now, the Department of Health and Human Services has not conducted an offical audit for HIPAA compliance. According to Computerworld, Piedmont Hospital in Atlanta, Ga., is currently undergoing the first one, and it's causing others in the health care industry to double check their own compliance status.
In a recent IT Business Edge interview, health care attorney -- and HIPAA blogger -- Jeffrey P. Drummond explained that the reaction of the industry to the Piedmont audit will help determine what HHS does in terms of future audits:
...[T]he Piedmont audit, even if it comes out clear, is already shaking some folks into action. If OCR [HHS Office of Civil Rights] perceives the industry as reacting to the audit by reinvigorating efforts at HIPAA compliance (particularly Security, which never got the attention it deserved from folks who got worn out chasing after the Privacy regulations), the sleepy enforcement environment will continue. If they think the audit was shrugged off, they'll find some other folks to pick on.
How do you prepare for the inevitable HIPAA audit?
Most of the privacy portions could be implemented pretty much right out of the box, but some areas (such as employee access to information) should be readdressed occasionally... Security is an ongoing chore though, and HIPAA compliance folks and IT folks should be working together regularly to reassess risks and weaknesses and implement appropriate responses, particularly considering changes in the security environment...
Oh, and document the crap out of everything. For example, there are some components of the Security Rule where action is not required, merely "addressable." In those cases, if you determine you don't need to take any action, you still need to document the fact that you considered the issue and reached the determination that action was not required.