Auditing Regulations

Op10.04-18 Auditing Regulations

Purpose

It is the policy of Missouri State to identify those policies put in place as required by the Health Insurance Portability and Accountability Act of 1996 (45 CFR Section 164.502 et seq.), and to audit and monitor the compliance with those regulations to assure HIPAA compliance.

Application

Missouri State, its Health Care Components (HCC) and workforce.

  1. Procedure
    1. All Missouri State HCCs, under the direction of the University HIPAA Privacy Officer, shall audit and monitor a set of key indicators for each HIPAA policy that requires the audit and monitoring function.
    2. Each HIPAA policy to be monitored will be identified by having the following language placed in the policy: "The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented."
    3. Key indicators will be selected by the University Privacy Officer in conjunction with the Unit Privacy Officers, and may change on a yearly basis. Typically two key indicators will be selected for review for each policy, but additional key indicators may be selected at the discretion of the University Privacy Officer.
    4. Beginning in April 2003, each Unit Privacy Officer and the University Privacy Officer (as applicable), shall begin to collect information on the set of key indicators selected for that year.
    5. On April 30 of each year beginning in April 2004, each Unit Privacy Officer shall provide the results of that audit and monitoring activity to the University Privacy Officer, using the format prescribed by the University Privacy Officer or the HIPAA Management Team.
    6. The Unit Privacy Officer and/or the University Privacy Officer may designate some other University staff to assist with the collection of the data regarding the key indicators.
    7. The University Privacy Officer shall then analyze the results, requesting assistance as needed, and then provide feedback to the HIPAA Management Team of any trends regarding the HIPAA policies, and any changes or revisions indicated through the audit and monitoring process. That feedback shall occur no later than July 1 of the same year.
    8. Feedback will be provided to the Unit Privacy Officers for sharing with the administration at each respective unit.
    9. The University Privacy Officer may utilize the assistance of the Office of Internal Audit and Risk Management as determined necessary and appropriate in all audit functions.
  2. Sanctions. Failure to comply or assure compliance with this policy may result in disciplinary action, up to and including dismissal.

HISTORY: Effective March 21, 2003