“Prepare for” an Audit or “We are Ready” for an Audit – Big Difference!
Early Monday morning an email from the Compliance Officer (CO) of a large client organization has been received by the Operations Manager (OM). Not the ideal way to start the week. Planning to visit the record and data center on Wednesday, he requests the OM suggest a convenient time.
There is no “rule” that a Covered Entity (CE) must forewarn the service provider of a site visit, only professional courtesy. In the context of provider expectations within the HIPAA/HITECH regulations a CE has a dual mission. Measure the RIM provider’s compliance with the regulations and with breach notification rules.
Each CE is required to verify Business Associate (BA) compliance to include requesting copies of policies and procedures and determine if the BA has implemented reasonable safeguards to protect the confidentiality and integrity of PHI.
Audits by a CE are evidence-based. Therefore, a BA must be able to produce documentation that the RIM organization is HIPAA/HITECH compliant. To document compliance, providers must show policies and procedures that have been implemented and are followed by team members. Policy and procedure enforcement must be demonstrated throughout each level of the RIM provider team.
When a client’s Compliance Officer announces a site visit to a RIM provider for the purpose of a compliance audit, expectations are that appropriate documentation is currently in place and readily accessible at the time of the visit. RIM Organizations that are PRIVACY + and/or NAID AAA Certified are ahead of the process. The preparation and certification process provides guidance that ensures essential components are considered, implemented, and validated.
Policies and procedures should include physical, administrative, and technical safeguards. Dates of all documentation must verify they are current and reflect any recent changes in the standards that have occurred. Associated forms that correspond with policies and procedures should reflect updates.
Documentation should be readily available to include organizational charts, incident response plans and reports, breach notification documentation, complaint, and sanction policy and contingency plans.
A comprehensive program would clarify the training components, frequency of training, and document the training in team member HR files. Workforce refresher training standards apply to policy and procedures with the goal of a team member having the capability to articulate the policy and describe how specific policies would apply to their role within the company. A reasonable approach to training should include training upon hire and annually at a minimum. Should changes in the standards occur at other times throughout the year, training would occur to include applicable updates/changes. Education and the sharing of updates or changes that have a minimal impact on team members and/or no handling of PHI can be accomplished via an interoffice communication method. Ensure these types of staff awareness training documentation occurs within the company compliance tracking system.
In situations where a potential or actual breach has occurred, it is expected that retraining occurs and team members involved document an understanding of expectations related to the cause and remediation of the incident.
It is beneficial to organize compliance response teams that include members at various levels within the staff – not just management or the team member responsible for overseeing company compliance. The goal for compliance and safeguards by a RIM provider is to provide consistency and weave components of compliance into the daily functions of team processes.
Compliance with standards in the organization has a higher degree of success when team members participate in implementation and reviews. As with any compliance program, performing mock audits to include walk-through and interviews are beneficial. By collecting and reviewing findings and reporting the findings to the team, deficiencies or known compliance issues can be identified. Mock audits can be simple to perform and utilized as team-building exercises. Thereafter, team members can develop a plan with timelines to correct known issues, focusing on the biggest issues and easy fixes first.
Team members should be able to discuss the PHI lifecycle within the organization as well as how security and integrity is maintained within the organization. In review with the staff each should understand where client PHI is created and/or received by the organization and how to safely maintain the PHI. Clarify how the RIM organization will handle/transport records or transmit encrypted data. Clarify team member understanding of the organization’s methods of destruction for paper, media, and electronic data that include PHI when completing the information lifecycle.
Building a Strong Foundation
Successful compliance programs within the RIM industry are those that incorporate practical business standards into current business applications. When team members implement daily business processes that meet industry standards, privacy and security continue to be “top of mind”. The PRISM PRIVACY + Certification program provides practical business concepts that integrate with policies and procedures to enhance compliance across the spectrum of current regulatory and accrediting body standards.
An untimely site visit should be an event that welcomes any client to the record/data center rather than one that sends alarm throughout the management team. Move away from “getting ready for an audit” to “we are ready for an onsite review – bring it on”.
By: Gail Bisbee, RN, BSN, PRISM SME
October 16, 2019