Audit Preparation: No Need for Panic!

Building an auditing and monitoring process does not mean we need to start from scratch; however standardizing the process can be a challenging task.
Because of our unique place in healthcare and the services we provide, we usually have both internal and external audits. What’s the difference?

An internal audit is conducted by an internal department (e.g. Facility audits) and the results and resolutions are reported internally. Similarly, an external audit is conducted by an external entity. These entities could be a private audit firm or state, federal or other reporting agency and the results and resolutions are reported both internally and externally.

Our internal audit is our first line of defense when it comes to identifying system problems and operational gaps. When we identify potential non-compliance it is important that we address those gaps immediately where possible or develop a corrective action plan to outline how we plan to fix and resolve any non-compliance.

Consider the following:

  • Let your risk areas drive auditing and monitoring
  • Use existing results from both internal ande external audits
  • Keep business unit stakeholders heavily involved in the process
  • Reinforce corporate compliance program objectives
  • Don’t be overcome by the documentation process

Pre-Audit – Ensure that the appropriate subject matter expert (SME) is involved in the planning, implementation and resolution phases of the audit. Have regular meetings to discuss any challenges as they pertain to gathering audit materials. Always do quality controls check on the data that will be audited prior to starting the audit.

During the Audit – Manage scope creep, always try to provide only the materials that are needed for the audit. Answer questions that are specific to the audit and always make sure SMEs are available to auditors during the audit.

Post-Audit – Review and report findings. Draft an action plan to address non-compliance. Confirm an implementation and re-evaluation timeline. Review lessons learned to improve future audit process.

Download .pdf for future reference.

securing phi

Securing Protected Health Information (PHI) in Motion

Welcome to another month of compliance corner! Today, we’re talking all about protected health information, also known as PHI. Securing PHI in motion is a top priority here at Nova Medical Centers. Here are some great reminders if you handle PHI on daily basis.

What we know for sure about HIPAA and PHI:

1. We must secure paper records that include PHI.
2. We must report an incident if it involves the loss or theft of any such records.
3. Many Nova employees have access to PHI information.

However, what we should know but sometimes forget is:

1. How important it is to secure PHI at all times.
2. PHI is always in motion because we are always working with PHI in some format

Here are a few precautions we need to take to always ensure that PHI in motion is still protected and secure:

If PHI is not in use, lock it up:
o Store it in a lock cabinet and secure the key
o Never leave it on an open shelf in your office, copy room or hallway

If PHI is in use during the work day never leave it unattended:
o Turn over or cover the information so that no personal identifiers are visible
o Always shut your office door during the day if you have PHI in your office

Printing PHI:
o Avoid printing PHI when possible
o When printing, be sure to select the correct printer
o If you print to the wrong printer in error, ensure that you locate the printer and have your document retrieved or destroyed
o Always pick-up print materials from the printer as soon as it is printed
o At the end of the day make sure that print or fax information containing PHI is removed or destroyed

When manually mailing a document with PHI, make sure that no PHI information is visible in the envelope window:

o The name and address should be the only information visible
o When possible, use a confidential stamp on the envelope

protected health informaion

Securely dispose of PHI by always using a secure shred bin

All PHI or Confidential information should be cleared off your desk and surrounding work area at the end of each work day to minimize unauthorized exposure:


  • Phone logs
  • Mailing list
  • Medical Records
  • Provider Files
  • Financial Statement
  • Personnel Files

For additional guidance on Nova requirements for securing PHI, please be sure to review our Corporate Compliance Policy:
CC-0702: Clean Desk and PHI Safeguard.


Download this information in .pdf form for your files.

strong password

Password security: How strong is your password?

Welcome to ‘Compliance Corner.’ Every month, Nova Medical Centers‘ employees can find helpful reminders and useful tips to maintain quality standards across a variety of categories. Not an employee of Nova? That’s okay! These tips are helpful for anyone! This month we’re talking about password security. How confident are you in the strength of your passwords?

Password, do I really need it? Yes you do. Passwords provide the first line of defense against unauthorized access to your computer and electronic protected health information (ePHI). Can I use my pet’s name as my password? This is not a good idea. The stronger your password the more protected your computer will be from malicious software and provide more appropriate ID authentication. Securing ePHI is only as strong as its weakest link. As such, Nova workforce members are required to create strong passwords.

Here are some tips that can help you create a strong password:

  • It is at least eight characters long
  • It does not contain your user name, real name, or company
  • It does not contain a complete word
  • It is significantly different from previous passwords
  • It should be a combination of numbers, symbols, uppercase and lowercase letters
  • Use phrases to help you create passwords
  • It should never be shared with others

password security

Strong passwords:

My Son’s Birthday is 12 December 2004 = Msbi12/Dec.4 or Mi$unB-day121204
2014 Summer vacation in New York = NYCsum-Vaca14 or 14Vaca@NYC

Weak passwords:

Hello to You = Hello2U instead try: H3lloToo-U
I love You = IluvU instead try: !l-u-vU

For additional guidance on Nova password requirements and ID Authentication, please be sure to review our Corporate Compliance Policy: CC-0708 Authentication and Password Management.

Email Etiquette

Email Etiquette: 8 Steps to Clear and Concise Communication

Welcome to ‘Compliance Corner.’ Every month, Nova Medical Centers‘ employees can find helpful reminders and useful tips to maintain quality standards across a variety of categories. Not an employee of Nova? That’s okay! These tips are helpful for anyone! This month we’re talking about email etiquette. Email has been around, what seems like, forever. Right? But are you communicating concisely through your business email?

According to a survey conducted by the UCLA center for Communication Policy (The UCLA Internet Report: Surveying the Digital Future, UCLA Center for Communication Policy, 2001) almost 88% of all internet users use email. The same survey also indicated that 90% use email for business purposes. At Nova, many employees at some point will use email to communicate internally or externally.

Do you use proper email etiquette? If you don’t, you may be sending the wrong message to your reader and this could reflect poorly on you and your department. Similarly to paper documents, email communication can impact compliance and quality standards. This is why it is important that when we communicate via email the information is clear and concise.

Here are some steps you can take to help you maintain compliance and quality standards when communicating by email:

Send Secure

Do not distribute Protected Health Information (PHI/ePHI) via email. If you must distribute PHI/ePHI to an outside recipient via email, including attachments with PHI, you must use the “7-Zip” program to encrypt the attachment prior to sending.

Confidentiality Disclosure

Always ensure that the approved confidentiality statement has been incorporated into all emails originating from your department for external distribution to Non-Nova entities. Get help from IT if you are not sure if the confidentiality disclosure is incorporated in your emails.

Subject Line

Don’t leave it blank. The goal is that the person can read your subject line and know what your email is about – (A bad subject line: Please Read – A good subject line: Compliance Meeting Agenda)

Manners and Tone

Think of the basic rules you learned growing up, like saying please and thank you. Address people you don’t know as Mr., Ms., or Dr. It is very difficult to express tone in writing. You want to come across as respectful, friendly, and approachable. You don’t want to sound curt or demanding. Sometimes just rearranging your paragraphs will help.

Be Clear and Concise

Get to the point of your email as quickly as possible, but don’t leave out important details that will help your reader answer your questions. Use bullets and white space to highlight the main points in an email but limit the use of bold font and underlining text, it can minimize the importance of your message. Avoid using CAPITAL letters in your email; it’s like shouting at your reader.

Be Professional

This means, stay away from abbreviations and acronyms. For example DOH in Human Resources means “Date of Hire” to others it may mean “Department of Health.” Don’t use emoticons (those little smiley faces). Avoid adding background and wall paper to your emails; it can be a distraction to the reader.

Use Correct Spelling and Proper Grammar

Use a dictionary or enable the auto spell check feature on your email account. Pay attention to basic rules of grammar. Reread your email prior to sending.

Out of Office

Utilize the out of office feature when you are out of the office for extended periods of time. Give the sender an alternate contact and the specific time you will return to the office.

Remember, emails are a permanent record of communication and should be viewed as a “memo” not as an “instant message.” Emails should be used as a means to effectively communicate with others. We should also take into account that email will not absolve you of responsibility, be selective and careful about what you put into an email, whether confidential business matters or personal information/opinions. If something is important or there is a break-down in the communication, pick up the phone or schedule time to meet in-person to resolve the issue.

Email is an effective form of communication but it should not replace all face-to-face communication; so the next time before you hit the “SEND” button keep in mind that e-mail offers speed of delivery, permanent storage, and easy replication. As such, we only want to communicate accurate, clear and concise information at all times