Healthcare News & Insights

4 keys for effective HIPAA audits

As some recent data breaches have shown, healthcare providers don’t just have to worry about outside hackers and thieves that are trying to access patients’ protected health information – they also must make sure their own employees aren’t violating patients’ privacy. 

One of the best ways to do that is to conduct HIPAA audits to make sure the organization is secure and that employees are following the rules. Here are four keys for effective audits:

1. Conduct HIPAA audits regularly

For some organizations, audits are a rare task performed when staff find extra time — which doesn’t happen very often. However, healthcare organizations must make regular audits a normal part of their operations. How regular? The Department of Health and Human Services (HHS) says providers should audit activity within clinical systems at least monthly.

2. Look for “trigger events”

In addition to regular HIPAA audits, HHS says certain events should trigger additional reviews, such as when:

  • A celebrity or high-profile person visits the hospital
  • An employee views the records of a patient with the same last name or address
  • A record is viewed in an isolated session if there’s been no patient activity in the previous 120 days, or
  • Nurses or other staffers view records for patients they had no part in treating.

Management, clinicians and IT staff should always be on the lookout for suspicious behavior that cloud prompt a look into activity logs.

3. Use available audit tools

Certified EHR systems must include tools that can provide detailed access logs for conducting audits. However, HHS warns that sifting through that data can be time-consuming and difficult, and many warning signs are missed when using manual processes. The agency recommends providers use specialized audit tools that can automatically look for those trigger events and detect suspicious patterns of behavior.

4. Tell employees you audit

One way to prevent some privacy violations from happening is simply to conduct regular HIPAA audits and make sure everyone on staff knows about it. Being aware that their activity is monitored and that the organization takes compliance seriously can go a long way toward making staffers think twice before accessing data they shouldn’t.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.