Billing: Protect PHI
By Kit Shellhouse
Updated 11:21 AM CDT, Wed October 16, 2024
Q. What types of information will I be required to provide to the OCR in the event of an audit of my HIPAA compliance program?
A. Being proactive will alleviate the pressure of an OCR (HSS Office for Civil Rights) audit. The OCR will request documentation from you as a provider. This information must demonstrate that your company has adhered to the required HIPAA Program.
To prove adherence, a portion of the required documentation will include the policies and procedures related to the protection of PHI. This must include how PHI (Protected Health Information) is managed, a detailed account of your privacy practices, how you as a provider will ensure the security of electronic PHI, and how it is stored, accessed, transmitted, and audited.
The HIPAA Policies and Procedures outline the set process, but the OCR will request evidence of the Security and Risk Assessment, outlining the execution and acknowledgment of the security awareness and training programs by your staff. This would include the applicable training materials (manuals) and the staff records confirming implementation. Providing audit logs and access records that track who has accessed PHI will confirm that only authorized personnel have access to PHI based on the policies.
Any company or person outside the organization that has access to PHI or ePHI is required to have a fully executed BAA on file. The OCR will choose randomly from the list of executed BAAs for audit. Unfortunately, there are risks of a breach. To identify potential vulnerabilities, a risk assessment and risk management plan will provide the details necessary to mitigate those risks.
If a breach of PHI has occurred in the past, an incident report detailing each breach and how it was managed and reported would be required. This responsibility will fall to your compliance officer or compliance department. Like other areas in your business, the compliance department should include a cross-trained staff member for coverage.
Kit Shellhouse is director of business development for the van Halem Group. Reach her at Kit@vanHalemGroup.com.
Comments