Government entities such as HHS, OCR, and CMS conduct random but meticulous audits to assess compliance with HIPAA regulations. To avoid potential penalties, we advise being prepared and conducting a risk analysis with Avant Garde beforehand. While the likelihood of being audited is relatively low, non-compliance with safety and risk regulations can result in legal action or fines.


HIPAA & EPHI Requirements

Understanding HIPAA and EPHI: HIPAA, enacted in 1996, mandated HHS to develop regulations safeguarding the privacy and security of certain health information. The Privacy Rule and the Security Rule were established to ensure the protection of individually identifiable health information and electronic protected health information (e-PHI). The Security Rule sets forth the technical and non-technical safeguards that covered entities must implement to secure individuals’ e-PHI. The Office for Civil Rights (OCR) is responsible for enforcing these rules through voluntary compliance and penalties.

Source: Summary of the HIPAA rules and ePHI


Avant Garde’s Risk Analysis Process

To successfully pass an OCR audit, covered entities must have a comprehensive, documented Security Risk Analysis in place to protect Electronic Patient Health Information. We diligently conduct this analysis in collaboration with providers, considering the size of their practice. Our services include designating a privacy and security officer, developing written policies and procedures, providing HIPAA-related employee training, conducting a thorough risk assessment, establishing disaster recovery plans, maintaining PHI disposal logs, and implementing security incident monitors and reporting guidelines. Our approach adheres to the Security Rule mandates during the risk analysis process.

In the event of an audit, we recommend seeking professional assistance. While online tools may offer convenience, they can be risky shortcuts. It’s important to understand that having documentation is not the same as having good documentation. Auditors prioritize quality over quantity, focusing on the appropriateness of the information contained in the documentation.