Hit audit matrix worksheet

We're the ideal place for homework help. If you are looking for affordable, custom-written, high-quality and non-plagiarized papers, your student life just became easier with us. Click either of the buttons below to place your order.

Order a Similar Paper Order a Different Paper

Working overtime today and looking for help with an assignment.. This is for a healthcare legal class. Fill in the blank in the word document with information to support the answer. There are 10 questions total and this would need to be completed by this evening. If you can help, please message me. 

Health Information Technology

Audit Compliance Evaluation


Name: Haley Hemsworth

Date: October 5, 3021

Audit Findings

The Law and Code Section

Legal requirements & Penalties for

non-compliance with the Law







(Support your









(Evaluate and

Rate Risk

Of Non


based on audit findings

and penalties

for non-


Justify your rating.

Priority Rank for


1 First to need action

10 Last to need acti0n

For each audit finding determine its priority for action based on the compliance risk assessment

(Number each audit finding from 1-10 in order of priority with 1 being the first priority and each having a different number)

Justify your priorities

The next managerial action you would take to comply with the law

Describes the action you would take next.

State reasons to support your action and explain why it is the next action

1. The audit finds that the company has a good record retention policy in place and a solid process to de-identify personal health information (PHII) before removal of PHI from computers. This process has been in place for one year.

However, two years ago the company sold 10 office computers on e-bay and replaced them with newer models. PHI of 10,000 patients was found on the 10 computers after they were sold. The company learned of this 1 ½ years ago and did nothing to follow-up. There is no breach notice policy.

HIPAA Breach


2. The audit found that the organization has a patient portal where patients can review their electronic health information (EHI) through a secure portal. This has been popular with patients and there have been no security breaches. However recent patient satisfaction surveys indicate patients would like to be able to access their prescription drug records through the portal. The organization outsources its pharmacy through a national vendor. The vendor is willing to make the information available, but the organization EHR system is not compatible with the vendor so it would be very expensive. The organization currently charges $12 for patient access to pharmacy records.

21st Century Cures Act and Patient Access to EHI

CEHRT Interoperability

3. The audit showed that a security risk analysis was done 5 years ago and that the issues identified were corrected. No security risk analysis has been completed since then even though the organization purchased a new electronic health record (EHR) system 2 years ago. The sellers of the EHR system said the system itself was a tool to manage risk.

The audit showed that there have been 5 security breached in the last 5 years and that they all involved “curious employees” looking at the records of high profile patients. The only action taken against the employees was a reprimand by the supervisor and attendance at an extra HIPAA training session.

HIPAA Security

4. The audit found that your health care organization is known internationally. In the last 2 years, you have treated 25 international patients of whom 10 were from the European Union (EU). All 10 of the EU patients requested their medical records be sent to their health care providers in the EU. Your health care organization honored these requests for medical records as it would any other medical record request.


5. The audit found that the organization has been involved in 10 large e-discovery requests in the last year related to lawsuits for claims of medical negligence. The audit found that in all 10 e-discovery responses sent the records electronically There was no process to review for privilege or whether the record request exceeded the scope of discovery.

E-Discovery Rule 26

Rule 502

HIPAA privacy

6. The audit revealed that there were 25 small discovery requests in the last year that went out by e-mail. In two of those requests, the e-mail was sent to opposing counsel instead of to the attorney requesting the organization in the court case. None of the e-mails were encrypted and 1 of the inadvertent e-mails to opposing counsel included mental health information of the patient. There was no follow-up. The organization has no policies or protocols for e-discovery.


HIPAA security

HIPAA mental health

State mental health

7. The audit revealed that incident reports have regularly been released as part of court e-discovery. The CEO would like to find a way to keep the incident reports protected from discovery.

HCQIA peer review immunity

Discovery privileges

8. Your audit revealed that one of your employees “Billing Betty” has been running a “side business” She is a secretary in the billing department. She copies the patient health information (PHI) onto a thumb drive once a month, takes it home, and bills Medicare for prescription drugs for these patients. She has been earning a nice side income of $100,000 a month with the billings. When her supervisor asked her about a thumb drive they found, “Billing Betty” denied that it was hers.

The company itself bills all patients once a month at the end of the month for services rendered.

Medical Identity Theft

Red Flags Rule

False Claims Act

9. Your audit revealed that hackers have been accessing information on medical devices including defibrillators as a back door to get to other network computers. Hackers have used this strategy to access personal health information on 251 patients in the last year. The last 45 involved ransomware attacks where the cyberattacker demanded $100,000 each time to unlock the data. The company paid the first 3 times before it created back up files of the data.



HIPAA Security

HIPAA Breach Notice

10. The audit revealed that the organization is not yet using 2015 Edition CEHRT. The hospital can’t use EHR for electronic prescribing (eRx) and is not able to provide public health clinical date for reporting.

21st Century

Cures Act

CMS Program Requirements




Do you need academic writing help? Our quality writers are here 24/7, every day of the year, ready to support you! Instantly chat with a customer support representative in the chat on the bottom right corner, send us a WhatsApp message or click either of the buttons below to submit your paper instructions to the writing team.

Order a Similar Paper Order a Different Paper