In recent months, we have seen a sharp rise with HIPAA investigations, breach reports and data security. The U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) announced in March of 2016 they are conducting on-site inspections and desk audits as part of Phase II of HIPAA enforcement. These inspections and audits will make up the first two rounds of audits. According to an OCR announcement, the first round of desk audits will focus on covered entities, while the second round of audits will focus on business associates.
The initial test of OCR desk audits will be completed by December 2016. Full scale desk audits begin in January 2017 focusing on small health care practices!
As a part of the new OCR desk audits, inspectors are focusing on the Security rule and will review individual facility's HIPAA compliance policies and procedures, computer/network security and breach risk assessments. Desk audits will request Risk Analysis, Risk Management Plan, Disaster Recovery Plan, Annual Privacy & Security Assessments and random policies and procedures. To help get your pharmacy prepared, we've broken down what each of these items are and why you need them.
Here are the top HIPAA items you need to pass a OCR and Desk Audit and start protecting your independent pharmacy:
1. Disaster Recovery Plan (also known as a Contingency Plan)
A properly written Disaster Recovery Plan can enable your facility to react to all types of emergencies, disasters or incidents. This document should include items such as a list of all personnel and contact info as well as all vendor contact lists including names, phone numbers, and any account numbers. It’s also worth your while to include an equipment inventory. A well-organized Disaster Recovery Plan can truly save your business should any disaster strike. One of our clients in Western Pennsylvania had to deal with this first hand when severe flooding shut down his pharmacy and destroyed most of his equipment. With his R.J. Hedges Project Manager making sure his business’s information was kept up-to-date each month, he was able to access everything he needed and get back up and running in just 24 hours.
2. Risk AnalysisThe Risk Analysis identifies the facility's risks and threats through a defined process. These threats are mitigated through preparation and good documentation before the disaster strikes. Potential threats to the facility would include:
If you have more than one location, it’s important to note that you’ll need a Risk Analysis document for each location. Each facility has its own unique needs and vulnerabilities depending on its location such as risk of hurricanes, tornadoes, floods and other hazardous influences.
3. Risk Management Plan
The purpose of the Risk Management Plan is to implement the recommended controls and alternate solutions for threats and vulnerabilities that have been identified within the facility. After highlighting what the risks are to each of your locations, the Risk Management Plan should demonstrate what preventative measures you've taken to counteract these risks.
4. Notice of Privacy Practices (NOPP)
The NOPP provides information to the patient about how their Protected Health Information (PHI) will be used, disclosed and protected. You'll want to provide this document to new patients, post it on the counter or tack it on a public board. Auditors will be checking to see if this is publicly visible in your facility and dated after July 1, 2013. You can access a template versions of the NOPP here on U.S. Department of Health & Human Services website but make sure it's customized to your business.
5. Random selection of policies and procedures
During a HIPAA desk audit, you will be requested to provide certain policies and procedures under the following areas: administrative safeguards, physical safeguards, technical safeguards, potential breaches of unsecured protected health information, uses and disclosures, and administrative requirements.
6. Annual Privacy Assessment
A key role to HIPAA compliance is your Privacy Officer. Each facility must designate a Privacy Officer. The Privacy Officer is responsible for developing, implementing, and revising the facility’s policies and procedures. The Annual Privacy Assessment is designed to give the Privacy Officer and Managers an overview of the major points of the HIPAA statutes. Most questions will have a reason, recommendation, and/or the directing statute that applies to the various questions such as federal statutes and operations areas including your reception area, garbage/waste materials, privacy officer, policies and procedures, training, HIPAA complaints, breaches of protected health information.
7. Annual Security Assessment
Similar to a Privacy Officer, your facility’s Security Officer must be a designated member of your team. This person manages the organization’s network security and electronic PHI (ePHI) for encryption and password protection. This Assessment is designed to give your Security Officer and Managers a systematic process to review and validate all electronic HIPAA Security Standards covering all your electronic data and how it is transmitted. How secure is your facility’s data? It’s important that your facility is unable to be hacked. While going through this assessment, you’ll want to think to yourself, “Where is my weak spot and how can I fix this?”
Without an expert to help you, creating these documents can take many hours or days to complete. The first step to being HIPAA compliant is knowing what items you need to put in place and why they are so important. If you’d like to get these documents customized for you, we offer these as part of our HIPAA Compliance Program. Our R.J. Hedges HIPAA Compliance Program contains all of these requirements within our Compliance Portal®. To learn about our HIPAA compliance program, click here.