How to Prepare for a HIPAA Audit: A 10-Point Checklist

The results from the first round of HIPAA audits in 2017, conducted by the Health and Human Services Department’s Office for Civil Rights (OCR), were a bit alarming from a compliance standpoint. Many healthcare firms, particularly smaller ones, are not using appropriate security tools for ePHI.

Zinethia Clemmons, who led these Phase 1 audits as the HIPAA compliance audit program director of the OCR, said that a shocking two-thirds of companies (66%) did not have thorough and up-to-date risk assessments in place.

Clemmons’ report echoes the information from a recent poll. The survey spoke with 150 executives who are in charge of HIPAA compliance at organizations with a maximum of 500 employees. The poll found that:

• 26% are not currently encrypting mobile;
• 27% are not encrypting emails that include ePHI;
• 41% are unsure what the company’s standard interval is for reviewing firewall rules;
• 50% are unsure if multi-factor authentication (MFA) is in place; and
• 51% are not testing their workforce for knowledge of HIPAA parameters.

Given the difficulties many organizations have with HIPAA compliance generally, many are underprepared when it comes time for a HIPAA audit. Luckily, there are several straightforward steps you can take to be as ready as possible for this stringent assessment of your digital and physical security approach.

The 10-Point HIPAA Audit Checklist

1. Limit your review.
2. Audit yourself.
3. Gather employee training manuals.
4. Create a risk management plan & risk analysis.
5. Organize security documents.
6. Go beyond policy.
7. Think from the perspective of the government (or a third-party auditor).
8. Be ready to talk security.
9. Determine the person who will be in charge of privacy & security.
10. Review your business associate agreements.

Limit your review.

Yes, you need to be concerned about business associate agreements (BAAs) related to your relationships with outside providers. However, when you are preparing for an audit, it is important to center yourself on internal documentation and practices.

Audit yourself.

An internal audit can be powerful in revealing elements of your system that you could correct and resolve so they are not discovered in the official audit. Conducting one of these audits at regular intervals will allow you to see any aspects of your environment that may not have needed attention previously.

Working with a third-party organization that specializes in compliance can help you properly determine how well your firm meets security and compliance standards. It is worth noting that third-party professionals are looking at your systems from the outside, which means they share the same point-of-view as a malicious intruder.

Through the self-audit, you can determine ways to approach remediation. As opposed to being caught off-guard by findings of an audit, it is better to have conducted your own audit and be working toward remediation of any risks, with appropriate timelines – even if the schedule extends for a year or more.

Gather employee training manuals.

Employees who do not have expertise or previous experience with compliance can be problematic. It is essential to train. Documentation of the training is then great to show to an auditor to indicate your organization’s dedication to education.

Through policies and training documents, you can show the specialists who are evaluating your system that your organization is aware of the primary HIPAA stipulations. The OCR will check that your employees do in fact understand HIPAA law – so it is also smart to prepare your staff by having them brush up on the manuals.

Create a risk management plan & risk analysis.

These two risk-related components are mandatory according to the healthcare law. The risk management plan is simply an organized and thorough strategy to address the risks to which your firm is exposed. The plan is based off the risk analysis, which is the initial effort to uncover all forms of risk that are present.

Organize security documents.

Your security policies and procedures should all be on paper and specifically applied to all aspects of your business. Examples policies are those for the HIPAA Privacy and Security Rule, business continuity, incident response, firewalls, and physical security. These policies are both useful to you in the operation of your business (to bolster organization and efficiency) and when showing an auditor how you keep all data protected.

Go beyond policy.

When you audit your organization, it is important to think in terms of how policies and procedures are being applied. You may have elements of your documentation that are well-intentioned and reasonable but not easy to implement consistently.

To really go beyond the paperwork, assess and interview the staff to determine the extent to which your policy is effective on the ground. The auditors will be very concerned that what is within the policy documents is reflected in action.

Think from the perspective of the government (or third-party auditor).

The OCR is legally allowed, per HIPAA, to assess and evaluate any practices, policies, or procedures of covered entities and business associates. As enforcers of HIPAA, the OCR is also able to specifically analyze the parameters through which a violation may have occurred. To better understand that process, be aware of 45 CFR 164.316 – “Policies and procedures and documentation requirements” – from the Code of Federal Regulations. The Subpart C in which section (§) 164.316 is contained is entitled “Security Standards for the Protection of Electronic Protected Health Information.” The documentation requirements are specifically intended to meet the administrative, physical, and technical safeguards to protect ePHI, as described within HIPAA.

Be ready to talk security.

HIPAA auditors will want to know about any security incidents or breaches that your organization has encountered. When they ask if you have experienced any of these events, be forthright. Auditors understand that data breaches and similar activities are incredibly common; their concern is how your organization has responded to these events.

Determine the person who will be in charge of privacy & security.

HIPAA requires you to have security and privacy officers. However, those roles can be played by someone who is already at your organization – you aren’t expected to make a new hire.

Assuming that one person is serving in the security and privacy officer capacities, that individual is effectively responsible for showing that the company has made a concerted effort to meet the regulations, such as periodically checking security policies, being certain that staff members know the policies, having a risk analysis performed on your IT systems, and confirming that business associate agreements exist for all relevant vendor relationships.

Review your business associate agreements.

The auditors will want to talk about the third-party relationships that involve your ePHI. Have a list of vendors, such as your HIPAA hosting company, and the safeguards that they have in place – as indicated within your business associate agreements (BAAs) with them.

Your HIPAA compliant environment

Are you a covered entity or business associate regulated by HIPAA? Make sure you are working with a healthcare hosting provider that cares as much about the privacy and security of health information as you do. At Atlantic.Net, our HIPAA Compliant Hosting is backed by fully audited HIPAA, HITECH and SOC 1 / SOC 2 certified infrastructure. See our HIPAA server plans.