Setting up Self – (Phase One) Audits
Covered Entities (CE) (Doctors Offices, Clinics, Hospitals)
Business Associates (BA) (The only difference between compliance with CE and BA is that Business Associates do not have to take the Privacy Audit. BA’s may need Privacy Policies if they share PHI with others. If this is the case, discuss this with your HIPAA Coach during your last meeting.
How to set up self-audits
Phase 1 Audits: After logging into The Guard, please hover over Auditing and select Questionnaire from the drop down which shows.
Covered Entities will need to complete the self-audits titled ’HIPAA Security Standards,’ ‘HIPAA Privacy Standards’ and ‘HITECH ACT Subtitle D Privacy Self Audit’. As shown in the screen below, drop down the box, highlight the audit you want to start and click ‘Start new Audit’. You will need to do this for each audit we identified you need to complete as stated above.
Business Associates will need to complete the self-audits titled ’HIPAA Security Standards, and ‘HITECH ACT Subtitle D Privacy Self Audit’ only.
Now that you have created the audits, you will follow the directions below to view and complete the audits. As you can see, you simply click the audit you want to work on and then VIEW/CONTINUE the Audit, NOT Start a new Audit.
Answering Questions within The Self-Audit
How to address answering the questions – You will find most answers will be ‘Yes’ this time around.
Answer ‘No’ if –
1. If you read the question and do not understand it.
- Do not feel you have a process (Procedure) in place.
- Do not have the written policy.
- Or your Policy and Procedure are over three years old and you have not updated them.
If you feel you need to elaborate, then use the notes section below that question to document.
You will work your way through any given number of questions on a page and will then want to click Submit Answer / Continue onto Next Question. When you answer the very last question on any given audit you will be presented with an option to ‘Finalize’ it. Entirely okay to go ahead and do so but please know this will set your answers in stone. If you wish to review them, please be sure to utilize the ‘Previous Question’ button prior to finalizing the audit.
Addressing Manual Audits (IT and Physical Site)
Upon completion of the three MS Excel sheets you will want to go about uploading them back into The Guard. It is a bit different than the approach you followed last year, but please read below for further instructions on how to achieve this.
Please be sure to complete the three manual audits found in this document and follow the process seen in the picture above for uploading the new version of that document.
Reviewing your Business Associate Agreements
Click on the name of the Organization so it highlights black. Then, by clicking View Selected Item, you will be able to bring up the profile to the top of the screen.
Click on the Contracts tab and highlight the document by clicking on it. Then, select View to download the Business Associate Agreement to your computer for review.
What you are looking for is whether there has been a change to the relationship with this Business Associate, or the actual documentation that you have in place. If there has been no change to the relationship/documentation please add this sentence into the Notes tab of that Vendor’s profile – Reviewed by XXYOUR NAMEXX – No changes to BA found – Current BA still active on XXTODAY’S DATEXX. If the relationship/documentation has changed at all send a new Business Associate Agreement to the BA.
The Guard will automatically build remediation plans for you once the internal audits are finalized.
If you find it necessary to build gaps for other items, you can do so manually following the directions below –
Please go about setting up the framework for the Remediation Plans as outlined below and we will be happy to walk you through closing these out as well.
To begin fixing gaps, first go to Auditing and select Remediation Plans. Then, click the tab labeled ‘Gaps’ found mid-screen (next to the tab labeled ‘Notes’). Once there, highlight the top item under ‘Unassigned/Open Gap Items’ and click the key labeled ‘Sel>.’
DO NOT MOVE THE ITEMS OVER ALL AT ONCE VIA THE ‘ALL >>’ KEY!!
When you click ‘Sel>’ this will move the solitary gap item from it’s ‘Unassigned’ status to ‘Associated Gap Items.’ You will find the Remediation Plan Title populates automatically upon placing the gap into the ‘Associated Gap Items’ status.
After maneuvering the top item over to ‘Associated Gap Items’ you will want to be sure to fill in your full name in the ‘Assigned To’ field, your e-mail address next to where it says ‘Email,’ and list the Start and End dates as advised by your Compliance Coach. Finally, be sure to click ‘Save Remediation Plan’ to the left and do not select ‘Mark Complete / Gaps Resolved’.
You will need to go one-by-one and follow this same exact process for each and every gap item listed beneath the ‘Unassigned/Open Gap Items’ field.
Any questions or concerns will be addressed at the closing meeting, including resetting of training and answers to any other concerns you may have.
This ties back to The Seven Fundamental Elements of an Effective Compliance Program by “Conducting internal monitoring and auditing.”