HIPAA Security Audit: Everything You Need to Know

According to the HIPAA Journal, penalties for a HIPAA violation include civil monetary penalties. They can even reach up to $2,134,831 per violation! In some cases, you can even be looking at some hefty criminal penalties, such as jail time. But don’t panic! We are here to give you tips and tricks on how to avoid running into a mess such as this. Let’s go over some basics first.

HIPAA stands for the Health Insurance Portability and Accountability Act. This is a federal law which protects patients’ health information and gives them rights to access their records.

Originally published in 1996, this act set a national standard when it comes to keeping protected health information (PHI) secure. It not only helps with the privacy aspect of healthcare, but also helps better streamline overall communication and provide more accurate services. All in all, helping to optimize and protect our nation’s healthcare system.

This act applies to everyone who works with PHI. This includes healthcare workers, other covered entities, and business associates alike. And so, these companies must submit to regular HIPAA security audits, to prove they are in compliance with these regulations. Today we are going to go over what a HIPAA security audit is, how to perform one, and why they are important.

HIPAA Audit Program

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) holds the requirements for all covered entities and business associates to perform HIPAA audits. The United States Department of Health and Human Services (HHS) oversees this thorough process. 

The HHS Office for Civil Rights (OCR)'s HIPAA Audit Program is key when it comes to keeping PHI secure. There is no “one size fits all” when it comes to HIPAA audit protocol, but there are certain points that you must cover. The OCR’s HIPAA Audit Program presents an opportunity to:

  • Examine mechanisms for compliance. 

  • Identify best practices. 

  • Discover risks and vulnerabilities.

  • Prevent data breaches.

We can analyze an entity’s compliance through their processes, controls, and policies in relation to HIPAA rules. Specifically the Privacy, Security, and Breach Notification Rules. The audit addresses implementation specifications of these rules and provides measurable criteria. As well as key questions to apply when developing your compliance training. Let’s quickly go over each of these rules and what they cover:

  • Privacy Rule: Protects PHI and allows patients to securely access their health records. Emphasizes and defines patients’ rights.

  • Security Rule: Similar to the Privacy rule, but covers electronically protected health information (ePHI). 

  • Breach Notification Rule: A requirement that holds entities accountable for reporting breaches of unsecured PHI and ePHI. Those who must receive notification are the patients, the HHS, and (in certain circumstances) the media.

The audit protocol is further organized even after these sections. They use numbered elements which contain audit analysis requirements for the standards of these rules. Let’s break down the process by each of the three overarching rules.

Privacy Rule Audit Checklist

There are two HIPAA audit requirements when it comes to the Privacy Rule. First, to protect individual health information. Second, to give individuals the option to access their PHI. In order to meet these requirements, businesses must comply with up to 14 sets of standards. While all covered entities must comply with the Privacy criteria, some standards do not apply across the board.

This is why “up to” is appropriate wording in this case. Organizations must review this list to determine which items apply to their operations. Here are 10 must haves when considering your Privacy Rule audit checklist:

  • Designate a Privacy officer.

  • Define what constitutes PHI.

  • Define permissible uses and disclosure.

  • Solid procedure for obtaining prior authorization.

  • Notice of privacy practices provided to patients.

  • Procedure on how to respond to requests for privacy protection.

  • Procedure for responding to requests for access, correction, and transfer. 

  • Procedures for maintaining an accounting of disclosures.

  • Workforce training.

  • Documentation procedures.

Security Rule Audit Checklist

The Security Rule audit, especially in comparison to the Privacy Rule, is pretty straightforward. There are fewer standards under this particular rule and these standards are more structured. Less open to interpretation. The Security Standards General Rules give covered entities the option of a “flexible approach” on how they implement standards. 

The Office of the National Coordinator for Health Information Technology (ONC) and the OCR, created a tool to help organizations compile a HIPAA audit checklist for the Security Rule. It is the HIPAA Security Risk Assessment (SRA) tool.

The SRA helps healthcare providers and other covered entities navigate security risk assessments in regards to the Security Rule. For example, entities can consult the recently updated HHS Security Risk Assessment Tool and OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule for help in evaluating whether they have a compliant risk analysis and risk management process.

Entities and business associates are able to download this tool online  as an excel document. Doing so helps fulfill risk assessment requirements in regards to the Security Rule audit section. Although, this tool alone may not cover all organizations, depending on the services they provide. Consider the following for your audit checklist:

  • 1. Designate a HIPAA Security Officer.

  • 2. Identify where ePHI originates from.

  • 3. Define how users access ePHI.

  • 4. Consider existing security software.

  • 5. Consider existing role-based access controls.

  • 6. Consider other existing security mechanisms.

  • 7. Consider existing processes for reporting security incidents

  • 8. Do you already have a security awareness training program?

  • 9. Do you enforce a scaled sanctions policy?

  • 10. Is there already a contingency or emergency action plan?

Breach Notification Rule Audit Checklist

All business associates must notify covered entities in the event of a security breach. And not just those incidents that involve unsecured ePHI. A breach is an incident where the access or use of PHI or ePHI in a manner that is not permitted under the Privacy Rule occurs. This compromises the security of said PHI.

Just like the Privacy and Security Rules, the breach notification rule requires a robust audit checklist. Covered entities use different checklists than business associates. Covered entities can use a HIPAA breach notification tool to help decide whether a security incident is reportable.

While these checklists are different for each party, there are some common items to include:

  • Following a breach, provide notification to affected individuals, the HHS, and, in certain circumstances, to the media. 

  • Note how the breach or security incident occurred.

  • Include how you mitigated the incident.

  • Documentation on how to prevent incidents like this from happening again.

  • Also, you must keep documentation of procedures, breaches/security incidents, and the outcomes for a minimum of 6 years.

  • Make sure to assign responsibilities of notifying the correct people beforehand.

Generally, an entity must provide notification following a security breach no later than 60 calendar days after its discovery. Finally, entities must provide evidence that they regularly conduct and document risk analysis. This includes providing any policies and procedures for conducting this assessment. In this analysis they must include:

  • Current and previous risk analyses and the results. 

  • Policy and procedures of the risk analysis process. 

  • Policies and procedures in regards to the implementation of risk analysis. 

  • Documentation demonstrating the implementation. 

  • How documentation is available to those responsible for the process.

  • Evidence the documentation is periodically reviewed and updated.

Conclusion

When discussing the subject of HIPAA security, having a thorough and well-documented risk analysis and audit process is pinnacle. Of course, there are other tools to assist entities in complying with these requirements. For example, OCR has access guidelines, which help entities better understand how to provide patients access to their PHI. Improving your organization to stay compliant with HIPAA’s rules and regulations means less headaches in the long run. Acting out of compliance can mean hefty fines, a disruption in your revenue cycle, or even jail time. 

It's time to protect your bottom line.