The audit protocol is further organized even after these sections. They use numbered elements which contain audit analysis requirements for the standards of these rules. Let’s break down the process by each of the three overarching rules.
According to the HIPAA Journal, penalties for a HIPAA violation include civil monetary penalties. They can even reach up to $2,134,831 per violation! In some cases, you can even be looking at some hefty criminal penalties, such as jail time. But don’t panic! We are here to give you tips and tricks on how to avoid running into a mess such as this. Let’s go over some basics first.
HIPAA stands for the Health Insurance Portability and Accountability Act. This is a federal law which protects patients’ health information and gives them rights to access their records.
Originally published in 1996, this act set a national standard when it comes to keeping protected health information (PHI) secure. It not only helps with the privacy aspect of healthcare, but also helps better streamline overall communication and provide more accurate services. All in all, helping to optimize and protect our nation’s healthcare system.
This act applies to everyone who works with PHI. This includes healthcare workers, other covered entities, and business associates alike. And so, these companies must submit to regular HIPAA security audits, to prove they are in compliance with these regulations. Today we are going to go over what a HIPAA security audit is, how to perform one, and why they are important.
The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) holds the requirements for all covered entities and business associates to perform HIPAA audits. The United States Department of Health and Human Services (HHS) oversees this thorough process.
The HHS Office for Civil Rights (OCR)'s HIPAA Audit Program is key when it comes to keeping PHI secure. There is no “one size fits all” when it comes to HIPAA audit protocol, but there are certain points that you must cover. The OCR’s HIPAA Audit Program presents an opportunity to:
We can analyze an entity’s compliance through their processes, controls, and policies in relation to HIPAA rules. Specifically the Privacy, Security, and Breach Notification Rules. The audit addresses implementation specifications of these rules and provides measurable criteria. As well as key questions to apply when developing your compliance training. Let’s quickly go over each of these rules and what they cover:
The audit protocol is further organized even after these sections. They use numbered elements which contain audit analysis requirements for the standards of these rules. Let’s break down the process by each of the three overarching rules.
There are two HIPAA audit requirements when it comes to the Privacy Rule. First, to protect individual health information. Second, to give individuals the option to access their PHI. In order to meet these requirements, businesses must comply with up to 14 sets of standards. While all covered entities must comply with the Privacy criteria, some standards do not apply across the board.
This is why “up to” is appropriate wording in this case. Organizations must review this list to determine which items apply to their operations. Here are 10 must haves when considering your Privacy Rule audit checklist:
The Security Rule audit, especially in comparison to the Privacy Rule, is pretty straightforward. There are fewer standards under this particular rule and these standards are more structured. Less open to interpretation. The Security Standards General Rules give covered entities the option of a “flexible approach” on how they implement standards.
The Office of the National Coordinator for Health Information Technology (ONC) and the OCR, created a tool to help organizations compile a HIPAA audit checklist for the Security Rule. It is the HIPAA Security Risk Assessment (SRA) tool.
The SRA helps healthcare providers and other covered entities navigate security risk assessments in regards to the Security Rule. For example, entities can consult the recently updated HHS Security Risk Assessment Tool and OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule for help in evaluating whether they have a compliant risk analysis and risk management process.
Entities and business associates are able to download this tool online as an excel document. Doing so helps fulfill risk assessment requirements in regards to the Security Rule audit section. Although, this tool alone may not cover all organizations, depending on the services they provide. Consider the following for your audit checklist:
All business associates must notify covered entities in the event of a security breach. And not just those incidents that involve unsecured ePHI. A breach is an incident where the access or use of PHI or ePHI in a manner that is not permitted under the Privacy Rule occurs. This compromises the security of said PHI.
Just like the Privacy and Security Rules, the breach notification rule requires a robust audit checklist. Covered entities use different checklists than business associates. Covered entities can use a HIPAA breach notification tool to help decide whether a security incident is reportable.
While these checklists are different for each party, there are some common items to include:
Generally, an entity must provide notification following a security breach no later than 60 calendar days after its discovery. Finally, entities must provide evidence that they regularly conduct and document risk analysis. This includes providing any policies and procedures for conducting this assessment. In this analysis they must include:
When discussing the subject of HIPAA security, having a thorough and well-documented risk analysis and audit process is pinnacle. Of course, there are other tools to assist entities in complying with these requirements. For example, OCR has access guidelines, which help entities better understand how to provide patients access to their PHI.
Improving your organization to stay compliant with HIPAA’s rules and regulations means less headaches in the long run. Acting out of compliance can mean hefty fines, a disruption in your revenue cycle, or even jail time.
In nec dictum adipiscing pharetra enim etiam scelerisque dolor purus ipsum egestas cursus vulputate arcu egestas ut eu sed mollis consectetur mattis pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus mauris aliquam ornare nisl purus at ipsum nulla accumsan consectetur vestibulum suspendisse aliquam condimentum scelerisque lacinia pellentesque vestibulum condimentum turpis ligula pharetra dictum sapien facilisis sapien at sagittis et cursus congue.
Convallis pellentesque ullamcorper sapien sed tristique fermentum proin amet quam tincidunt feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Vel etiam vel amet aenean eget in habitasse nunc duis tellus sem turpis risus aliquam ac volutpat tellus eu faucibus ullamcorper.
Sed pretium id nibh id sit felis vitae volutpat volutpat adipiscing at sodales neque lectus mi phasellus commodo at elit suspendisse ornare faucibus lectus purus viverra in nec aliquet commodo et sed sed nisi tempor mi pellentesque arcu viverra pretium duis enim vulputate dignissim etiam ultrices vitae neque urna proin nibh diam turpis augue lacus.