Health Information Technology

Audit Compliance Evaluation

Matrix
Name:
Date:

Audit Findings The Law and Legal requirements Compliance Compliance Priority Rank The next
Code Section & Penalties for Assessment Risk for managerial action
non-compliance Assessment Action you would take to
with the Law Comply comply with the
High 1 First to law
Partial Medium need action
Compliance Low 10 Last to Describes the
need acti0n action you would
Non-compliance (Evaluate and take next.
Rate Risk For each State reasons to
(Support your Of Non audit finding support your
Compliance Compliance determine its action and explain
rating) based on audit priority for why it is the next
findings action based action
and penalties on the
for non- compliance
compliance) risk
Justify your assessment
rating. (Number
each audit
finding from
1-10 in order
of priority
with 1 being
the first
priority and
each having a
 different
number)
Justify your
priorities

1. The audit finds that HIPAA Breach Breach notifications Non-Compliance High 3 Implement HIPAA
the company has a Notice must be given within Breach Notice
good record retention 60 days after the No effort was It is a close Checklist
policy in place and a breach is discovered. made to contact The penalty for priority
solid process to de- The Covered Entity the affected the breach is in
identify personal health must indicate individuals the tier 4
information (PHII) procedures to category,
before removal of PHI safeguard victims Record retention implying that
from computers. This from damage. The policy $50,000 can be
process has been in covered entity must implemented charged as fine
place for one year. provide investigation for every
However, two years ago activity summary on individual
the company sold 10 the breach, and affected.
office computers on e- indicate efforts to
bay and replaced them avoid future
with newer models. PHI breaches.
of 10,000 patients was PENALTY
found on the 10 It falls in the tier 4
computers after they category of penalty
were sold. The structure,
company learned of this considering that no
1 ½ years ago and did attempt has been
nothing to follow-up. made to remedy the
There is no breach breach.
notice policy.

2. The audit found that 21st Century The 21st Century Partial Low 9 Seek a vendor that
the organization has a Cures Act and Cures Act Compliance has a compatible
patient portal where Patient Access mandates healthcare This can be HER system.
patients can review to EHI providers to offer There is a The Act is not circled back
their electronic health timely and functional portal clear on the after The cost of
information (EHI) CEHRT free consumers with for EHR, but it is penalty against revisiting administering the
through a secure portal. Interoperability "immediate" free not the Healthcare some of the service through the
This has been popular access to every comprehensivel provider, but portals and vendor is
with patients and there health record in y free, as mentions assessing it unavoidable, but a
have been no security their EHR. patients cannot “appropriate vendor whose
breaches. However have access to disincentives” system is
recent patient PENALTY specific compatible with
satisfaction surveys Appropriate information for the organization’s
indicate patients would disincentives for the free. HER system will be
like to be able to access healthcare provider more effective.
their prescription drug The free service
records through the About $1 Million fine requirement of
portal. The on the IT developer the 21st Century
organization outsources for information Act is violated by
its pharmacy through a blocking. the $12 charges
national vendor. The
vendor is willing to
make the information
available, but the
organization EHR
system is not
compatible with the
vendor so it would be
very expensive. The
organization currently
charges $12 for patient
access to pharmacy
records.
3. The audit showed HIPAA Security The HIPAA Security Partial Low 10 Implement the
that a security risk Rule provides Compliance HIPAA Security Risk
analysis was done 5 benchmarks to This can be Assessment Toolkit
years ago and that the secure patients' There is a HER The circled back
issues identified were electronic personal system Unauthorized after
corrected. No security health information available, but person is an revisiting
risk analysis has been that a covered entity there is no employee of a some of the
completed since then creates, receives, security risk covered entity analyses and
even though the uses, or maintains. analysis, assessing it
organization purchased To preserve the exposing
a new electronic health privacy, authenticity, patients’ records
record (EHR) system 2 and protection of to breach.
years ago. The sellers electronic protected
of the EHR system said health information,
the system itself was a the Security Rule
tool to manage risk. mandates adequate
The audit showed that administrative,
there have been 5 structural, and
security breaches in the technical
last 5 years and that protections.
they all involved
“curious employees”
looking at the records
of high profile patients.
The only action taken
against the employees
was a reprimand by the
supervisor and
attendance at an extra
HIPAA training session.

4. The audit found that GDPR Provider must seek Partial Medium 5 Implement GDPR
your health care consent before Compliance Checklist
organization is known processing personal This can be
internationally. In the data, among other 5 Data Subject Not willful considered
last 2 years, you have conditions. Rights provided violation as an important
treated 25 international there is effort priority and
patients of whom 10 Providers must show Consent not to meet with should be
were from the that patient data is provided some of the focused on
European Union (EU). properly protected. re3quirement when there
All 10 of the EU patients are no other
requested their medical Penalty can go as pending
records be sent to their high as 0.4% of urgent tasks
health care providers in annual revenue as
the EU. Your health fine for violation
care organization
honored these requests
for medical records as it
would any other
medical record request.
5. The audit found that E-Discovery Parties must Partial Low 7 Implement the
the organization has Rule 26 maintain their Compliance 2021 HIPAA Official
been involved in 10 Rule 502 discovery requests This can be Compliance
large e-discovery fair and Response time The e-discovery circled back Checklist
requests in the last year HIPAA privacy proportionate to the for e-Discovery request is for a after
related to lawsuits for issue at hand, is 30 days, and it privilege record revisiting
claims of medical according to Rule 26. has been a year under the some of the
negligence. The audit As a result, reducing for the 10 HIPAA privacy audits and
found that in all 10 e- the extent of requests. rule assessing it
discovery responses discovery can However, the
sent the records significantly request does not
electronically There was minimize its burden. nullify the HIPAA
no process to review for privacy as
privilege or whether the Rule 502(d) allows a stipulated in e-
record request federal court to Discovery Rule
exceeded the scope of issue an order noting 502(d)
discovery. that production of
records covered by
the attorney-client
confidentiality or the
work product
doctrine in the
 particular action or
any other federal or
state case does not
compromise such
rights.

The HIPAA Privacy

Rule provides
nationwide
guidelines for
safeguarding
medical records and
other personally
identifiable health
data.
6. The audit revealed E-Discovery Non-Compliance High 2 Implement HIPAA
that there were 25 2021 Official
small discovery HIPAA security The HIPAA Security HIPAAA Security This should Compliance
requests in the last year HIPAA mental Rule provides and Mental be checked Checklist
that went out by e-mail. health benchmarks to Health on
In two of those secure patients' provisions were immediately
requests, the e-mail State mental electronic personal violated. and
was sent to opposing health health information considered a
counsel instead of to that a covered entity No E-Discovery high priority
the attorney requesting creates, receives, Protocol
the organization in the uses, or maintains.
court case. None of the State Mental
e-mails were encrypted Health Provision
and 1 of the inadvertent Violated
e-mails to opposing
counsel included
mental health
information of the
patient. There was no
follow-up. The
organization has no
policies or protocols for
e-discovery.
7. The audit revealed HCQIA peer The HCQIA provides Partial Medium 8 Implement E-
that incident reports review legal protection to Compliance Discovery Protocol
have regularly been immunity organizations This can be
released as part of conducting peer There is no Possibility of re- circled back
court e-discovery. The Discovery review of medical discovery occurrence is after
CEO would like to find a privileges professionals from protocol, leading not high revisiting
way to keep the legal liability for to the some of the
incident reports possible unfavorable transmission of reports and
protected from measures taken incidents reports assessing it
discovery. during peer review in court e-
proceedings while discovery.
adhering to However, after
statutory due the audit, the
process standards. CEO is trying to
protect the
Discovery privileges incident reports.
protects Incident
reports by law,
reinforced by E-
Discovery Rule 502
(d)
8. Your audit revealed Medical Any individual, Partial High 4 Implement Red
that one of your Identity Theft entity, or contractor Compliance Flag Checklist
employees “Billing who knowingly There is no Red This needs to
Betty” has been running Red Flags Rule submits, or causes, a Red flag rule Flag Checklist be checked
a “side business” She is false or fraudulent violated to prevent on as soon as
a secretary in the billing False Claims claim with the future able as this
department. She copies Act purpose to acquire Medical Identity occurrence involves
the patient health payment or approval Theft Rule urgent,
information (PHI) onto a is subject to criminal violated sensitive
thumb drive once a responsibility under matters
month, takes it home, 18 U.S.C. 287. False Claim Act,
and bills Medicare for Violated.
prescription drugs for The False Claims Act
these patients. She has holds people and
been earning a nice side organizations
income of $100,000 a accountable for
month with the billings. defrauding
When her supervisor government
asked her about a programs.
thumb drive, they
found, “Billing Betty” Penalty for violation
denied that it was hers. is up to $23,607 fine
The company itself bills and 5 years jail term
all patients once a
month at the end of the
month for services
rendered.
9. Your audit revealed Cybersecurity Electronic Partial Medium 6 Implement Red
that hackers have been Response Information and Compliance Flag Checklist
accessing information assets should be Possibility of This can be
on medical devices HIPAA Security stored to retain its Cybersecurity future circled back Implement HIPAA
including defibrillators HIPAA Breach confidentiality, Response occurrence is after 2021 Official
as a back door to get to Notice integrity, and partially reduced by the revisiting Compliance
other network availability implemented implementation some of the Checklist
computers. Hackers of Backup files portals and
have used this strategy The HIPAA Security HIPAA Security assessing it
to access personal Rule provides Partially
health information on benchmarks to implemented
251 patients in the last secure patients'
year. The last 45 electronic personal HIPAA Breach
involved ransomware health information Notice Violated
attacks where the that a covered entity
cyber-attacker creates, receives,
demanded $100,000 uses, or maintains.
each time to unlock the
data. The company paid Breach notifications
the first 3 times before must be given within
it created back up files 60 days after the
of the data. breach is discovered

10. The audit revealed 21st Century The 21st Century Non-Compliance High 1 Implement 21st
that the organization is Cures Act Cures Act Century Cures Act
not yet using 2015 mandates healthcare 21st Century Willful neglect This is a very Checklist
Edition CEHRT. The CMS Program providers to offer Cures Act urgent and
hospital can’t use EHR Requirements timely and Violated important
for electronic free consumers with priority and
prescribing (eRx) and is Interoperability "immediate" free CMS Program should be
not able to provide Requirements access to every Requirements checked,
public health clinical health record in Violated assessed, and
date for reporting. their EHR. analyzed first
Interoperability
The implementation Requirement
and sharing of not
certified EHR in a implemented
meaningful and
secure way.