Starting in January, the Office of Civil Rights started on-site inspections and desk audits sent via mail. You have 15 days to respond with the proper items. These consist of:
1. Notice of Privacy Practices (NOPP)
2. Disaster Recovery Plan
3. Risk Analysis
4. Risk Management Plan
If you present these documents, the inspection is normally over. For Desk Audits they, ask for additional information. These include:
5. Annual Privacy Assessment
6. Annual Security Assessment
7. Random Policies and Procedures
1. Notice of Privacy Practices (NOPP)
The NOPP provides information to the patient about how their Protected Health Information (PHI) will be used, disclosed and protected. You will want to provide this document to new patients, have it available at the counter or post it on a public board. Inspectors will be checking to see if this is publicly visible in your pharmacy. You can access template versions of the NOPP here on the U.S. Department of Health & Human Services website but make sure it is customized to your business.
2. Disaster Recovery Plan
A properly written Disaster Recovery Plan (also known as a Contingency Plan) can enable your pharmacy to react to all types of emergencies, disasters or incidents. This document should include items such as a list of all personnel and contact info, as well as all vendor contact lists including: names, phone numbers, and any account numbers. It is also worth your while to include an equipment inventory. A well-organized Disaster Recovery Plan can save your business in the event of a disaster.
One of our clients in Western Pennsylvania had to deal with this first hand when severe flooding shut down his pharmacy and destroyed most of his equipment. With his R.J. Hedges Project Manager making sure his business’s information was kept up-to-date each month, he was able to access everything he needed and get back up and running in just 24 hours.
3. Risk Analysis
The Risk Analysis identifies the pharmacy's characteristics from a physical location, to the technology processes. Potential threats to the facility are identified as:
If you have more than one pharmacy location, it is important to note that you will need a Risk Analysis document for each one. Each pharmacy has its own unique needs and vulnerabilities depending on its location such as risk of hurricanes, surrounding businesses and neighborhoods, and other hazardous influences.
4. Risk Management Plan
The purpose of the Risk Management Plan is to implement the recommended controls and alternate solutions for threats and vulnerabilities that have been identified from the Risk Analysis. After highlighting what your risks are to each of your pharmacy locations, the Risk Management Plan should demonstrate what preventative measures you have taken to counteract these risks.
Creating these documents can take up quite a bit of your already precious time but knowing what they are and why they are so important is the first step to being compliant. If you would like to get these documents created for you, we offer these as part of our HIPAA Compliance Program.
5. Annual Privacy Assessment
This assessment is designed to give the Privacy Officer and Managers an overview of the major points of the HIPAA statutes. Most questions will give a reason, recommendation, and/or the directing statute that applies to the various questions.
Such as:
An important part of HIPAA compliance is your Privacy Officer. The Privacy Officer is responsible for developing, implementing, and revising the facility's policies & procedures.
6. Annual Security Assessment
Is your computer system encrypted? How secure is your facility's data? It is important that your facility is unable to be hacked. While going through this assessment, you will want to think to yourself, "Where is my weak spot? How can I fix this?" This assessment is designed to give your Security Officer and Managers a systematic process to review and validate all electronic HIPAA Security Standards covering all your electronic data and how it is transmitted. Similar to a Privacy Officer, your facility's Security Officer must be a designated member of your team.
7. Random Policies & Procedures
During a HIPAA audit or inspection, you may be asked to provide certain policies & procedures under the following areas:
We hope our list has helped you better prepare for a HIPAA inspection. R.J. Hedges & Associates is here to keep you stress free and in compliance!™ If you would like more information on other ways we can assist you, visit our website at http://www.rjhedges.com/ or contact us with questions!