Make sure you have a solid understanding of the applicable standards and regulations and of the organizations making the rules. HIPAA, for instance, provides standards for processing electronic health transactions and unique identifiers, and provides privacy and security rules to guard health information. The Department of Health and Human Services (HHS) publishes the HIPAA rules, and the Centers for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR) enforce them. There's plenty of information out there on HIPAA to get you up to speed (see Sites to See, page 74).
Finally, once you've wrapped up your internal audit, hire a third-party auditor to check your work. Your internal audit will have corrected any major problems, so the external audit should be no more than a sanity check.
Are You Covered?
Before committing resources to compliance, find out whether your organization is required to follow the industry-specific regulations. HIPAA provides a series of questions in a flowchart to help you determine if your organization is a "covered entity" required to comply with the act. Basically, if you're a health-care organization that provides health-care billing information in electronic form, a health-care clearinghouse or a health insurer, you are subject to HIPAA. You may also be subject to a CMS audit if you transmit Electronic Protected Health Information (ePHI) as part of your business.
You also should know the time frame for compliance. Once health-care providers and health insurers adopt HIPAA, for instance, they must use the standards within 24 months. (Compliance is usually required 60 days after the final rule is published.) If you're a health-care provider or insurer, you can use a clearinghouse to help you meet these requirements, much in the same way you can hire an accountant to do your taxes. A clearinghouse accepts a wide variety of EDI formats, so you aren't burdened with updating your records and billing systems to become HIPAA-compliant overnight. It produces documents in HIPAA-standard formats that can be understood by everyone in the health-care community.