Keeping risk assessment documentation and other compliance evidence in a centralized repository is a good way to prepare for any HIPAA audit or investigation.
Office for Civil Rights (OCR) officials have said apermanent HIPAA security audit program is expected to begin sometime after the start of fiscal 2014 on Oct. 1; it will include business associates as well as covered entities. Under theHIPAA Omnibus Rule, business associates are directly liable for HIPAA compliance. Of the 115 covered entities audited in last year's pilot program, two-thirds had non-existent or inaccurate risk assessments, OCR officials have said.
In addition to random HIPAA audits, OCR often also evaluates the status of organizations' HIPAA compliance as part of the office's data breach investigations.
It is recommended to create a centralized documentation repository that builds a book of evidence based on what other organizations have been asked for in HIPAA security audits and other OCR investigations. You should document all your risk management decisions and make that part of your document repository.
To assist with documentation, you may use Microsoft Office Suite, SharePoint, and the full version of Adobe Acrobat so that you can bookmark. That practice can help put all important details and evidence in a easy-to-retrieve format that won't break the bank.
Documentation related to an organizations risk analysis is important considering that the initial round ofHIPAA complianceaudits conducted in the pilot program showed that many covered entities do a poor job conducting thorough and timelyrisk assessments.