The initial test of OCR desk audits will be completed by December 2016. Full scale desk audits begin in January 2017 focusing on small health care practices!
As a part of the new OCR desk audits, inspectors are focusing on the Security rule and will review individual facility's HIPAA compliance policies and procedures, computer/network security and breach risk assessments. Desk audits will request Risk Analysis, Risk Management Plan, Disaster Recovery Plan, Annual Privacy & Security Assessments and random policies and procedures. To help get your pharmacy prepared, we've broken down what each of these items are and why you need them.
A properly written Disaster Recovery Plan can enable your facility to react to all types of emergencies, disasters or incidents. This document should include items such as a list of all personnel and contact info as well as all vendor contact lists including names, phone numbers, and any account numbers. It’s also worth your while to include an equipment inventory. A well-organized Disaster Recovery Plan can truly save your business should any disaster strike. One of our clients in Western Pennsylvania had to deal with this first hand when severe flooding shut down his pharmacy and destroyed most of his equipment. With his R.J. Hedges Project Manager making sure his business’s information was kept up-to-date each month, he was able to access everything he needed and get back up and running in just 24 hours.
If you have more than one location, it’s important to note that you’ll need a Risk Analysis document for each location. Each facility has its own unique needs and vulnerabilities depending on its location such as risk of hurricanes, tornadoes, floods and other hazardous influences.
The purpose of the Risk Management Plan is to implement the recommended controls and alternate solutions for threats and vulnerabilities that have been identified within the facility. After highlighting what the risks are to each of your locations, the Risk Management Plan should demonstrate what preventative measures you've taken to counteract these risks.
The NOPP provides information to the patient about how their Protected Health Information (PHI) will be used, disclosed and protected. You'll want to provide this document to new patients, post it on the counter or tack it on a public board. Auditors will be checking to see if this is publicly visible in your facility and dated after July 1, 2013. You can access a template versions of the NOPP here on U.S. Department of Health & Human Services website but make sure it's customized to your business.
During a HIPAA desk audit, you will be requested to provide certain policies and procedures under the following areas: administrative safeguards, physical safeguards, technical safeguards, potential breaches of unsecured protected health information, uses and disclosures, and administrative requirements.
A key role to HIPAA compliance is your Privacy Officer. Each facility must designate a Privacy Officer. The Privacy Officer is responsible for developing, implementing, and revising the facility’s policies and procedures. The Annual Privacy Assessment is designed to give the Privacy Officer and Managers an overview of the major points of the HIPAA statutes. Most questions will have a reason, recommendation, and/or the directing statute that applies to the various questions such as federal statutes and operations areas including your reception area, garbage/waste materials, privacy officer, policies and procedures, training, HIPAA complaints, breaches of protected health information.
Similar to a Privacy Officer, your facility’s Security Officer must be a designated member of your team. This person manages the organization’s network security and electronic PHI (ePHI) for encryption and password protection. This Assessment is designed to give your Security Officer and Managers a systematic process to review and validate all electronic HIPAA Security Standards covering all your electronic data and how it is transmitted. How secure is your facility’s data? It’s important that your facility is unable to be hacked. While going through this assessment, you’ll want to think to yourself, “Where is my weak spot and how can I fix this?”
Without an expert to help you, creating these documents can take many hours or days to complete. The first step to being HIPAA compliant is knowing what items you need to put in place and why they are so important. If you’d like to get these documents customized for you, we offer these as part of our HIPAA Compliance Program. Our R.J. Hedges HIPAA Compliance Program contains all of these requirements within our Compliance Portal®. To learn about our HIPAA compliance program, click here.