Version 1, 1/16/09, Per Security Rule
HIPAA COW
SECURITY NETWORKING GROUP
QUICK START GUIDE FOR AUDIT PREPARATION
Disclaimer
This document is Copyright 2008 by HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This document is provided “as is” without any express or implied warranty. This document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney.
Since the security audit that happened at Piedmont Hospital there have been several documents published that indicate what security auditors will look for. This quick start guide is a tool to help locate documents that may be needed when security auditors arrive at your organization.
First, a disclaimer: When auditors arrive, CMS has told us that they will be looking for the details listed in the Quick Start spreadsheet, however, they are not limited to those items. Once a security auditor is at your organization, virtually anything security related may be asked for. Auditors will be looking for things that you have not thought of. Be prepared as best as possible. Part of this preparation is having an up to date list of everyone that may need to be involved.
This spreadsheet is based on two documents. The first is the “42 Questions” article published in Computer World short after the Piedmont inspection. The second is a guidance published by CMS. The intent of the spread sheet is to allow an organization to easily find policies and documents that answer the questions that we know will be asked by auditors.
References:
HIPAA audit: The 42 questions HHS might ask Jaikumar Vijayan
http://www.computerworld.com/s/article/9025253/HIPAA_audit_The_42_questions_HHS_might_ask
CMS document: This document is no longer available on the CMS website. A search did not find it. The items selected from this document and included in the spreadsheet that accompanies this are still a useful guide for materials that should be available in the event of an inspection.
Presentation: There was a related presentation at the Spring, 2011, HIPAA COW meeting that is also relevant to planning for a CMS inspection. It is available at: http://www.hipaacow.org/events/Spring2011/Smithrud.Malchetske%20Presentation.ppt
Authors:
Cathy Boerner, Steve Dake, David Ebert, Todd Fitzgerald, Lee Kadel, Mary Koehler, Fred Mikolajewski, Allen Mundt, Mary Niska, Patty Pate, Kim Pemble, Wayne Pierce, Amy Purvis, Holly Schloenvogt, Jim Sehloff, LaVonne Smith, Bill Turner, Scott Vaughn
© Copyright 2009 HIPAA COW