How to Effectively Prepare for a HIPAA Compliance Audit

The Department of Health and Human Services’ Office for Civil Rights (OCR) conducts periodic audits to verify that covered entities (CEs) and their business associates (BAs) are complying with HIPAA regulations. This article will discuss the steps organizations can take to ensure they pass a HIPAA compliance audit by having the proper data privacy and security measures in place for protected health information (PHI) and electronically protected health information (ePHI). 

What Is a HIPAA Compliance Audit?

A HIPAA compliance audit is an exercise carried out by the OCR that examines how an organization is handling its PHI and ePHI. There are five main HIPAA rules of which two, regarding security and privacy, are significantly more important than the others. The five main HIPAA rules are:

• The Privacy Rule, designed to protect individuals’ PHI and medical records by defining limits on how such information can be used without patient authorization. It also provides patients with the right to view and obtain a copy of their medical records.
• The Security Rule outlines how PHI is stored, accessed, and transmitted. The methods and procedures used to protect the security of sensitive data are defined in the rule. The rule establishes administrative, technical, and physical safeguards that are required to meet the standards regarding the security of PHI and ePHI.
• The Transaction Rule addresses the codes used in HIPAA transactions and specifies how they are used to ensure medical records are secure and accurate.
• The Identifiers Rule is meant to ensure that the unique HIPAA identifiers are used correctly by CEs performing regulated administrative and financial transactions.
• The Enforcement Rule addresses the penalties levied for violations of HIPAA security and privacy requirements.

Auditors from the OCR will investigate an organization to ensure they are complying with all HIPAA rules. During the audit, the CEs and BAs under review need to demonstrate their compliance with HIPAA rules. The goal is to assess the policies, controls, and processes in use by CEs and BAs to protect PHI and ePHI. Failure to verify compliance can result in financial penalties levied against the offending organization. 

Why Are Organizations Chosen for an Audit?

HIPAA compliance audits are not regularly performed on all businesses operating in the healthcare field. While this might be a good practice to ensure all CEs and BAs are adhering to HIPAA standards, there are not sufficient resources in the OCR to send auditors to every healthcare provider or business associate.

Organizations can be selected to undergo a HIPAA audit for several reasons that include:

• Response to a complaint against the organization received by the OCR.
• A data breach that has been self-reported to the OCR.
• Random selection by the OCR.

Any covered entity or business associate is eligible to be audited. OCR distributes a questionnaire that gathers information about the details of potential audit candidates. If an organization does not reply to the questionnaire, publicly available information is used to determine the viability of an audit.

Since HIPAA audits can be triggered randomly or due to an unexpected data breach or complaint, companies in the healthcare industry need to be prepared to undergo one at any time. 

A Roadmap for a Successful HIPAA Compliance Audit

Preparedness is the key to successfully negotiating a HIPAA compliance audit conducted by the OCR. The most effective method of ensuring an organization is compliant with HIPAA regulations is by performing self-assessments to identify potential flaws in the way PHI is being handled. These shortcomings can then be addressed and proactively resolved before a data breach occurs, resulting in a visit from the OCR. 

A preparedness assessment for a HIPAA audit can be carried out by internal teams or an outside entity. In both cases, similar factors and characteristics of the CE or BA need to be considered and appropriate documentation provided to demonstrate compliance. A methodical approach that makes use of a HIPAA compliance checklist offers a great place to start preparing for an audit. Once an organization understands the guidelines for which it is accountable, it can begin the process of ensuring it meets them. 

The following elements are essential components of an effective plan to ensure a CE or BA can pass a HIPAA audit: 

Choosing a security and privacy officer

Someone in the organization needs to be responsible for demonstrating the steps being taken to protect the privacy and security of PHI. The officer should schedule periodic reviews and risk analyses of applicable procedures. All data breaches or incidents need to be recorded and made available to the OCR. Agreements with business associates, such as those providing HIPAA hosting services, need to be reviewed for compliance. 

Emphasizing employee training

HIPAA guidelines require all employees involved with the processing of PHI or ePHI to be adequately trained in maintaining its privacy and security. Records need to be kept to demonstrate this training to auditors.

Analyzing and reviewing current policies

All procedures and policies related to compliance with HIPAA rules need to be thoroughly documented. The documents need to be easily accessible and available to guide everyday business operations as well as satisfy audit requirements. 

Performing an internal audit

Internal audits provide the most effective platform for identifying areas of a business that need to be strengthened to maintain HIPAA compliance. Subject matter experts in the infrastructure, storage, backup, and recovery of ePHI should be engaged to ascertain the level of system compliance. Detailed findings of inadequacies should be generated so the issues can be corrected.

Remediating audit findings

All findings discovered during the internal audit need to be remediated. Proper documentation should indicate the procedural modifications that were implemented to make the systems compliant. 

Conclusion

Organizations in the healthcare industry do not need to fear a HIPAA compliance audit. Following the roadmap presented above will put a company in a good position to protect PHI and pass an audit. Employee training and analysis of current procedures should be ongoing to constantly improve how privacy and security are implemented. Internal audits should be conducted regularly and all findings addressed promptly.

By taking these steps, businesses in the healthcare field can ensure they can pass a HIPAA compliance audit while providing sensitive patient data with the privacy and security it deserves. 

Contributed by Atlantic.Net, Inc.

Atlantic.Net provides HIPAA-compliant hosting. Our state-of-the-art infrastructure is SOC2, SOC3, HIPAA, and HITECH compliant and housed in secure, climate-controlled facilities with constant monitoring and multiple direct connections to the Internet backbone to ensure availability and data safety.