An excellent article by Dom Nicastro discussed the 5 major stumbling blocks that an auditor in Oregon has noticed lately.
I expand on two of the stumbling blocks, they listed below.
- Lack of a risk analysis – Many organization have possibly executed on risk analysis, most have never even done one.
- This should include, but is not limited to reviewing data backup, does everybody have their own login to the computer network, are passwords required to be changed at regular intervals…
- Undocumented policies and procedures – a lack of a company employee computer policy.
- You can be doing everything correct, but if it is not documented, and auditor doesn’t care. Additionally, if what you expect from your employees is not written down, chances are they really don’t know what is expected of them…even if you told them…and if you have to fire them for a violation of these unwritten policies – good luck defending yourself.
- Lack of training – security training is an annual requirement.
- Yes, you are required to put your employees through annual training. Those that I see doing it correctly shut down their office for half a day and get everyone trained – we’ve come up with a better HIPAA training process.
- Failure to conduct compliance audits – Whether you call it an audit or evaluation, these are an annual requirement.
- Nobody we deal with is doing these, until we arrive. Guess what, if you expect to get any HITECH money…you’ll be expected to have your audit complete.
- Lack of disaster recovery planning and emergency mode operations – What will you do if a fire, flood or theft occurs to your office?
- This is a short fall in every office we audit. This HIPAA backup service not only help with stumbling block 1, but also handles #5 for you entirely.
The only way to really know what is going on is to have your practice assessed, sticking your head in the sand will only make things worse.
The beautiful thing about a HIPAA Audit is, when done right, it then gives you the road map to compliance, eliminating the guess work.