Audit Guidelines in Using Protected Health Information
During the course of a business audit, it is not unusual for one player in the P-HCC, even though it has a formal contractual business relationship, to claim that HIPAA prevents it from conducting due diligence or compliance checks with a vendor. As an auditor, do expect, as a third party, for one of the covered entities to request your signature on a business associate agreement. It is an agreement that acknowledges your understanding of what PHI is and the limitations of its use. In addition, business associate agreements typically have provisions or procedures to mitigate any unplanned breaches.
Once the formalities of access have been defined, the key issues are the location and use of PHI. The audit may focus on only one or two players within the P-HCC. Once you have identified these players, use the following key points to guide your analysis of each of them:
- Conduct an operational flowchart of the business functions and respective data involved to complete the business function and the technology driving both function and information.
- Conduct an operational flowchart of job titles and respective data utilized to do their work and the technology driving both function and information utilized.
- Identify by business function all PHI transactions that occur verbally, telephonically, by facsimile, in hard-copy, and electronically, including any social media communications.
- Identify by its title within each business function ...
Get Healthcare Fraud: Auditing and Detection Guide, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
