HIPAA Privacy Auditing & Monitoring Program

By the Office of Compliance & Audit Services

I. Introduction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates all covered entities to establish policies and procedures to ensure the confidentiality of protected health information (PHI). DHSU's comprehensive audit program was designed as an ongoing internal HIPAA compliance monitoring program and will ensure that the privacy policies and procedures are being followed correctly, that appropriate safeguards are in place and that the privacy of PHI is being maintained in accordance with the mandated standards.

II. Audit Activities

Physical Rounds- Physical rounds will be conducted that will incorporate a privacy assessment of physical safeguards for electronic, paper and oral PHI. During each round, the Privacy Assessment form will be completed. Any deviances from the required safeguard will be documented and reported to the appropriate administrator for further evaluation and follow up. The following elements will be reviewed during these rounds:

  1. Electronic Information
    1. Monitors facing the public;
    2. Systems left open on screens when not in use;
    3. Passwords & ID's visible to the public.
  2. Paper Information
    1. Patient information left unattended;
    2. Rooms or cabinets containing patient charts are not locked or supervised;
    3. Boards containing diagnostic information are visible to the public;
    4. Fax machines are located in non-secure areas;
    5. Patient information discarded in regular trash cans;
    6. Shredders not present or not functioning.
  3. Verbal Information
    1. Patient information discussed in public.

III. Reports

A. Deficiency Reports- Individual department deficiency reports identifying the findings and recommendations for corrective action plans will be documented and distributed to the respective departments. These reports will be based upon the results of physical rounds.

B. Complaints/Incidents- All patient privacy complaints and incidents will be documented, as well as the associated follow up, outcome and any disciplinary referrals. Complaints will be reviewed to determine trends, to identify types of complaints and any identified need for focused training.

C. Periodic Summaries- Summaries reporting the program monitoring results and analysis will be submitted to the Compliance & Audit Oversight Committee of the following:

  1. Complaint/Incident Statistics
  2. Employee and Resident Delinquent Training Summary

IV. Conclusion

This HIPAA Privacy Auditing & Monitoring Program will be reviewed on an annual basis to ensure it is complete and up-to-date. Revisions to current policies and processes may result in a modification to this program.

Corrective action plans developed as a result of this program's ongoing monitoring will be consistently enforced. Additionally, the OCAS will provide focused training, as needed, to ensure adherence to this program.