U.S. healthcare organizations need to maintain compliance with HIPAA data privacy and security regulations. Without implementing the necessary measures to ensure compliance, organizations could find themselves on the receiving end of expensive and damaging non-compliance penalties.
HIPAA’s primary goal is to protect the privacy and security of patients’ protected health information (PHI), and the best way to verify compliance is with an internal audit. An effective HIPAA compliance audit should include the following steps:
Keep reading to learn more about HIPAA compliance audits and how to conduct one.
In this article:
HIPAA audits are comprehensive assessments conducted to ensure that organizations are in compliance with the regulations set forth by HIPAA. Many organizations opt to conduct internal audits periodically. An internal audit program helps to ensure their processes, policies, and controls are effective and prevent HIPAA violations and penalties.
The Office for Civil Rights (OCR) also conducts periodic audits to ensure that healthcare organizations comply with HIPAA regulations. These HIPAA audits are conducted based on various sampling criteria, including the size, affiliation, entity type, public/private status, geography, and enforcement history of the organizations.
Every covered entity and business associate is eligible for a HIPAA audit, and OCR may use publicly available information to create its audit pool if an entity fails to respond to information requests.
Once selected for an audit, organizations are notified via email and are required to submit requested documents and data within 10 business days.
The submitted documentation is then reviewed by auditors, who develop draft findings and share them with the audited entity. The auditee has the opportunity to respond to these draft findings, and their written responses are included in the final audit report.
Internal and OCR-required HIPAA audits typically last from several weeks to several months, depending on the size and complexity of the organization.
During the OCR audit process, the covered entity or business associate is given specific timeframes to respond to auditors' requests for information and complete the final report.
The timing of the audit can vary, and in some cases, organizations may receive advance notice of the audit. This allows them to prepare and gather the necessary documentation and evidence to demonstrate their compliance with HIPAA regulations.
The duration of a HIPAA audit can be quite extensive, requiring organizations to dedicate significant time and resources to ensure a successful outcome.
The first step is to designate a point person for the audit. The individual will be responsible for understanding HIPAA regulations and the ramifications of noncompliance with the Privacy, Security, and Breach Notification Rules.
This person will take the leading role in performing the subsequent steps in the audit, and duties may entail obtaining support from management and identifying the key personnel responsible for implementing HIPAA rules throughout the organization.
In large organizations, this role may be a full-time position filled by a dedicated HIPAA Compliance Officer. Smaller organizations typically assign a trusted and knowledgeable individual as the security and privacy expert for the duration of the audit.
The individual needs to work with management to determine the audit’s scope and objectives. In some cases, only a subset of an IT environment processes HIPAA-regulated data, and the systems and applications subject to HIPAA guidelines will need to be identified and documented.
The specific objectives of the audit need to be defined for each system and application in scope. Elements under review should include the administrative, physical, and technical safeguards implemented to protect regulated data stored or processed by in-scope systems.
Other items that are typically in scope are breach response procedures and data privacy policies.
This step also involves identifying the key personnel or subject matter experts (SMEs) who will serve as resources for the audit. These individuals should be familiar with the procedures and practices used in the processing of PHI.
Once the audit scope and objectives are defined, it is time to review all existing documentation supporting HIPAA compliance.
The documents that should be collected include:
Interview the key personnel and SMEs identified in previous steps to establish their knowledge regarding HIPAA and the compliance activities they take when performing their jobs.
SMEs should be queried on their areas of expertise to ensure the appropriate safeguards are in place to protect PHI, and all potential issues should be documented and promptly addressed
Organizations must perform a thorough review of all existing controls, policies, and procedures related to the privacy and security of sensitive health information. The review typically includes the following elements.
All security controls in place to protect PHI should be evaluated. These include:
Review all policies related to the privacy of PHI for completeness and adherence to HIPAA regulations.
Items to be looked at include:
HIPAA regulations mandate appropriate training for all employees and contractors handling PHI, and an audit should evaluate the value of current training and education to ensure it meets HIPAA standards.
In addition, staff members should receive annual education which should be documented with records of the training being made available to auditors.
Breach response plans need to be reviewed to ensure that appropriate actions will be taken in the event of a breach involving PHI. This includes evaluating and modernizing mitigation strategies and verifying that all required notifications are made when necessary.
Technical assessments should be conducted on all in-scope systems and applications. These include a risk analysis, penetration tests, and vulnerability scans designed to find weaknesses that can impact the ability to protect PHI.
SMEs should be engaged to test their systems, and, once again, all issues should be documented and addressed as soon as possible.
The purpose of a HIPAA audit is to ensure the security and privacy of the PHI an organization processes. Findings represent gaps or vulnerabilities that may impact the ability to protect PHI.
It is therefore crucial to document any audit findings that may indicate a lack of compliance readiness or specific areas of the IT environment that need improvement. Documenting these findings is the first step in eliminating these issues to achieve compliance.
Audit findings will then need to be addressed with remediation plans. These plans should be designed to mitigate any vulnerabilities that could lead to non-compliance violations as quickly as possible. Failure to address known issues is a common HIPAA violation and can result in significant fines.
Data loss prevention (DLP) software is a valuable tool to promote HIPAA compliance. The Reveal Platform by Next automatically enforces an organization’s data handling policies to eliminate the misuse of regulated data. The tool also emphasizes data security by providing user training at the point of risk.
Talk to the data loss prevention experts at Next and set up a demo to see Reveal in action. Investing in the right DLP tool today could save you thousands of dollars in fines tomorrow.
HIPAA requires all covered entities and their business associates to conduct internal audits annually. The results of the audit including any findings and remediation activities need to be documented for use in subsequent internal or external audits.
Companies without sufficient internal resources to conduct an audit can engage certified third-party auditors.
Audit findings should be addressed promptly for multiple reasons. Most importantly, gaps must be closed to protect the integrity, security, and privacy of PHI.
Findings that are not addressed quickly may be considered willful neglect on the part of the violator and result in greater fines than if corrective actions had been taken.
It is important to establish audit scope and objectives because this should be an exercise that focuses on data falling under HIPAA regulations. Incorporating other systems that do not contain regulated data into this audit opens the door to unnecessary complications and oversights that can negatively impact HIPAA compliance and the way PHI is protected.
Blog
Blog
Blog
Blog
Resources
Resources
Resources
Resources