Stories of security breaches, hackers, and stolen personal data have become a part of daily headlines. So, businesses have started becoming concerned about the safety and security of their critical data.
That too, if you belong to the industry of medical services, where you store tremendous amounts of patient data, you need to be extra careful. That's where the HIPAA compliance audit comes to play.
Between 2009 and 2020, 3,705 health care data breaches of 500 or more records have been reported to The Health and Human Services Office For Civil Rights (HHS OCR). Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records.
To safeguard the privacy of personal medical data and confidential health information, the United States Government passed the Health Insurance Portability and Accountability Act of 1996. The HIPAA compliance in United States federal legislation covers the data privacy and security of medical information.
It is the right of the public to demand privacy for their personal medical data. We should be able to trust the health care providers with our protected health information. HIPAA sets the required expectations and guidelines for healthcare providers to protect medical data.
HIPAA is managed by The Health and Human Services Office For Civil Rights (HHS OCR). They conduct periodic audits to ensure compliance with the businesses and covered entities that handle medical data.
This article will explain everything in detail about the HIPAA compliance audit and will serve as a guide for success.
What is a HIPAA Compliance Audit?
The OCR conducts the HIPAA compliance audit to examine how an organization is handling protected health information.
The Five Key Rules for HIPAA Include
The Privacy rule is created to protect an individual's medical records by defining rules for the amount of information that can be used without a person's consent. It also offers the right to patients to view a copy of their medical records.
The Security rule defines how Protected Health Information (PHI) is stored, accessed, and passed. The methods and procedures majorly belong to this rule. In addition, it sets out administrative, technical, and physical safeguards, which are essential to meet the standards for the security of Protected Health Information.
The Transaction Rule is used to specify the codes (which are used in HIPAA transactions) and ensure medical records are secure and accurate.
The Identifiers Rule is intended to limit any mistakes covered entities might make when doing administrative and financial transactions.
The Enforcement rule is to address the penalties that are levied for violations of HIPAA security and privacy requirements.
The auditors from OCR will conduct a thorough investigation of an organization to ensure that they are complying with all the HIPAA rules. During the audit, the covered entities and business associates will be required to demonstrate their compliance with HIPAA rules. The main goal is to assess the policies, controls, measures, and processes that are used by them to secure Protected Health Information. If the OCR finds a failure in any of the norms, the organization would be levied financial penalties.
Importance of HIPAA Compliance Audits
Even though HIPAA audits have the possibility to lead your organization to huge fines, complex corrective action plans, and lengthy investigations towards your organization, you can at least get rid of the fear of data breaches and cybersecurity attacks that can compromise Protected Health Information.
For people, their personal health data is sensitive (private) and valuable to them, but it's also valuable to criminals on the dark web, who may use it in harmful ways. Therefore, it is of paramount importance that any organization which is subject to HIPAA takes all the necessary steps possible to secure patient data.
Preparing for a HIPAA audit will help you identify any risks to the integrity of your data and reduce the risk of fines and civil legal penalties that arise from a breach of electronic Protected Health Information.
How is an Organization Chosen for a HIPAA Compliance Audit?
HIPAA compliance audits are not performed on all health care organizations regularly. Even though this doesn't sound like a great practice, there are not sufficient auditors from OCR to be sent to every health care provider or a business associate.
Organizations are selected for several reasons like:
In response to a complaint raised against an organization received by OCR
A self-reported data breach
OCR makes random selection
Any covered entity and business associate are eligible for the audit. The OCR provides an audit questionnaire that collects any relevant information about potential candidates. This is then processed into an audit plan that is submitted to the entity for approval. If they don't reply to the questionnaire, then the publicly available information is used to determine the viability of an audit.
Since HIPAA audits can be triggered at any moment, companies in the healthcare industry need to be prepared for unannounced audits.
Risks Involved in a HIPAA Compliance Audit
As we already saw, a HIPAA compliance audit can be done for numerous reasons and purposes, each of which will come with its own set of odds and ends.
For example, a lot of HIPAA settlements that have been reached in the past years have been under the right to access initiative. Most of them have originated from a specific patient's complaint to the OCR for their request not being fulfilled.
So you never know or will be able to predict whether a patient from your practice will be the one who will submit a ticket to OCR. However, before you decide to try your odds, remember that the average cost for an OCR settlement comes near $1.1 million.
If you're willing to take the chance of undergoing a full investigation that could lead to your company paying out millions of dollars, then that's your risk.
How to Successfully Prepare for a HIPAA Compliance Audit?
It is always best to make the necessary changes to comply with HIPAA requirements before being notified of any audits. HIPAA compliance should be a must if you are a company that works with Protected Health Information. You need to be proactive as you hold the responsiblity to keep the information secure.
Compliance is a concern for any organization, and it is important to understand the requirements and plan accordingly.
Document organization/structural/operational changes
It is a must to note all the organizational, operational, and structural changes you have made in the past years. It can be mergers or acquisitions or any new changes, and also don't forget to include new departments or facilities you have launched in your audit plan.
Performing regular security risk audits will help you prepare in case of an audit by the OCR.
Document the list of previous findings
Make a list of
Date of your last audit
The mitigated risks
The HIPAA policies and procedures that are in place
Evidence and documentation of the policies
The HIPAA Rules say that the covered entities must protect their own operations and information. Any business associates who use, share, or store any Protected Health information on behalf of a covered entity must also comply with these regulations.
Having an inventory of business associates
It's crucial that you stay on top of your business associate. First, you should list all your known business associates, including those whose agreements were signed outside the IT Department's purview. Once you've done this, rank them from highest to lowest risk based on their interaction with protected data.
Your full HIPAA compliance audit includes both internal and external reviews and should determine administrative, physical, and technical safeguards.
Use a Governance risk management and compliance software
Using Spreadsheets to make a note of audit responses can be a huge amount of work and often lead to you doing research and crossing back and forth with the person you're working with just to fill out all of the little details. We've found that using GRC software really simplifies the process, saves time, and makes communicating easier.
With new threats emerging nearly every week, you must be aware of the latest information available when conducting your annual HIPAA compliance audit.
Get in touch with Information Sharing and Analysis Organization (ISAO)
We recommend that you join a regional Information Sharing and Analysis Organization so you can know the best practices, keep up to date with regulatory changes, and stay on top of cybersecurity threats.
Getting your HIPAA compliance audit done isn't enough. You need to mitigate the risks as much as possible to protect your organization and your patients' data.
Create a customized plan to mitigate risks
Utilize a risk assessment protocol to ensure you're employing cutting-edge techniques and stay ahead of any potential risks. In addition, a documented plan will allow you to ensure that your project is well-prepared for any assessments.