When most organizations ask about how to meet HIPAA compliance regulations, what they’re really asking is, what happens if you don’t meet HIPAA regulations? A HIPAA audit, or security assessment, is when the HHS Office for Civil Rights (OCR) asks an organization to demonstrate how it has fulfilled its obligations to protect PHI according to HIPAA legislation. In this article, we’ll outline preparation steps and costs, tools that can help you prepare and pass, and provide a step-by-step guide for passing a HIPAA audit.
What is a HIPAA audit?
HIPAA audits, or security assessments, are conducted on the same basis as other sorts of government audits. Just like an audit by the IRS, being selected for a HIPAA audit doesn’t mean that your organization is under suspicion for wrongdoing. However, if your organization has recently had a security breach, you may be singled out.
The purpose of these assessments is to confirm that your organization and its business associates comply with HIPAA Title II and the HIPAA Privacy, Security, and Breach Notification Rules, the sections of HIPAA law that dictate how healthcare organizations must handle PHI and ePHI (protected health information). If selected, your organization will be asked to provide clear documentation of how it protects PHI from misuse.
You will need to provide documentation for the following categories:
- Physical safeguards. These include facility security measures like closed-circuit monitoring and alarms, workstation and device security, and policies restricting use of workstations and media containing PHI to authorized personnel.
- Administrative safeguards. These include the presence of security personnel, information access management systems, workforce training, and an established security process.
- Technical safeguards. These include access control, audit control, integrity control, and encryption and transmission security.
How do I prepare for a HIPAA audit?
Preparing for a HIPAA audit retroactively is nearly always a mission doomed to fail. The OCR asks selected organizations to provide documentation outlining the entire scope of its HIPAA compliance program, from development through to implementation and next steps. Many of these documents will be prepared as you design your HIPAA compliance program, if you are covering all the bases.
Ideally, the necessary documentation to pass a HIPAA audit will be a natural byproduct of a strong security stance. Following these steps will help you pass a HIPAA security audit by ensuring high security standards in your organization’s day-to-day operations.
- Train employees on their responsibilities under HIPAA and how to properly handle ePHI.
- Build your Risk Management Plan and conduct regular risk analyses to recognize and minimize breach opportunities.
- Appoint HIPAA Security and Privacy Officers. In smaller organizations, this position can be covered by the same individual.
- Implement a compliance optimization tool to manage policies, track changes, and detect security gaps.
- Review how your policies are implemented at the physical, technical, and administrative levels.
- Conduct an internal audit. This can be done by your HIPAA Security and Privacy officers or by an outside organization.
- Design your Internal Remediation Plan, outlining how your organization will respond in case of a security emergency. .
This is especially true when it comes to documentation of technical safeguards, as a huge part of this sphere revolves around access and accountability. In the cloud, all changes to systems and data must be documented. Retroactive documentation is difficult to do accurately and invites further scrutiny. For this reason, best practice for organizations storing or sharing ePHI in the cloud is to deploy compliance optimization and documentation software.
Automated compliance tools help you in 4 ways:
- Ensure an error-proof record of which changes have been made by who at any point in time.
- Maintain accountability in your workforce for proper handling of ePHI.
- Save hundreds of hours reconstructing histories weeks or months after an event.
- Eliminate time-intensive manual creation of administrative policies.
On a broader scope, you should be equipped for a HIPAA compliance audit report with documents that demonstrate how you are proactively addressing opportunities for security breaches or misuse of ePHI at any level. These documents should answer questions like:
- How do we maintain a strong general security stance?
- Where are our vulnerabilities and how are we addressing them?
- How secure are our workstations and facilities?
- Do our employees and BAs understand how to protect PHI?
- How do we ensure HIPAA compliance within our BYOD program?
- What are our future goals and milestones?
So what documents do you need for a HIPAA audit? If selected for a security assessment, your auditor will ask you for documents to prove your compliance with both the Privacy Rule and the Security Rule.
Documents Supporting Privacy Rule Compliance:
- Copies of business associate agreements
- Business associate compliance assurances
- Patient confidentiality forms
- Confidential communications requests
- Notice of Privacy Practices
- Disclosure agreements
- Whistleblower policies
- Work desk procedures
- HIPAA training logs
- Procedures and policies for PHI use
- Patient authorization forms (including patient intake consent forms)
- A comprehensive list of people with access to the facility
Documents Supporting Security Rule Compliance:
- HIPAA Risk Management Plan
- HIPAA Risk Analysis
- PHI location documentation (e.g., a PHI map)
- How you’ve eliminated third party risks
- How the environment is coping with identified vulnerabilities
- Incident response plan/breach response plan
- Explanation of unimplemented addressable implementation standards
- Compliant processes and procedures
- List of authorized wireless access points
- List of all devices including physical location, serial numbers, and make/model
- Electronic commerce agreements
- Trading partner security requirements
- Lists of vendors
- Policies and procedures for the Security Rule, Privacy Rule, and Breach Notification Rule
How much does a HIPAA audit cost?
Undergoing a HIPAA audit by the OCR is your organization’s D-Day. Failing to pass could result in fines of hundreds of thousands, as demonstrated by some of the most recent HIPAA breaches. For this reason, some organizations choose to independently conduct a HIPAA security self-assessment through a third-party auditing organization. These assessments are aimed to help organizations identify and eliminate any gaps in compliance that could cause them a security breach or be a reason for HIPAA fines. They do not issue a HIPAA compliance audit certification or shield your organization from an OCR audit, but they can be helpful for better understanding your risks.
The cost of a full privately conducted HIPAA audit typically runs between $20,000-$50,000. While this might not be the right choice for every organization, taking this route can definitely be cheaper than the consequences of poor compliance. By comparison, the maximum fine for a HIPAA violation is $1.5 million. Alternatively, the US government provides its own check, the Security Risk Assessment Tool (SRA) for free.
At the same time, a private audit or internal risk assessment is no substitute for consistently strong security and compliance practices. The best strategy for avoiding HIPAA violations is to implement risk-reducing policies and practices from Day 1. This can be difficult to do manually, especially if your organization hosts ePHI in the cloud.
Your cloud environment and the instances and assets in it are constantly changing as your software or organization scales. Many organizations find that documenting policies and controls for all their assets is challenging to do in real-time, yet it is one of the most important factors in passing a HIPAA audit. Organizations using continuous compliance solutions like Dash consistently report having an easier time managing HIPAA compliance and stronger results in the face of an audit.
Rome was not conquered in a day, and your organization’s HIPAA compliance documentation process will not be, either. Prepping for a HIPAA audit is an ongoing process that should start from Day 1. Remember, even if your organization has strong security practices, they will not help you pass an audit unless you can document their implementation. If your organization has not yet prioritized HIPAA compliance and audit prep, now is the time to do so. When looking ahead to an audit, compliance automation and optimization tools are an important part of a successful HIPAA compliance strategy for organizations dealing with ePHI.