Learn the three essential steps to help you effectively prepare for a HIPAA audit.
Ensuring the privacy and security of patient information is vital in the healthcare industry. Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is not only a legal requirement but also essential in cultivating trust and protecting sensitive data. HIPAA Audits help healthcare organizations maintain security so they don't experience data breaches and the consequences that ensue.
There are a few reasons why your organization may be getting an audit.
To protect PHI, you have to know where it is created, received, transmitted, and maintained in your organization. This is called your scope. To identify your scope, you have to understand how patient data flows within your organization.
Start with the assumption that everything is in scope until you’ve verified otherwise. Verifying that a system is out of scope requires that you confirm proper network segmentation and make sure necessary controls are in place.
There are four main parts to consider when defining your scope:
You need to document where PHI is created, how it enters your environment, what happens once PHI enters, and how PHI exits.
This is probably one of the most important things to prepare for your audit. Having the proper documentation ready will make your audit go much faster and help you avoid costly penalties.
You’ll want to have the following documents available for your audit:
Your workforce members are among your weakest links in your organization, so you should be devoting more time to training. And this training should all be written down.
Have things like employee manuals and policies ready for your auditors to see how your workforce understands HIPAA. The OCR will audit your workforce members to see if they actually know that information, so make sure your staff members are up-to-date with the information in training materials.
See also: SecurityMetrics HIPAA Guide
See also: HIPAA Training Video: Essential Healthcare Compliance Training
Just like your organization needs security policies, you need to have them documented. These may include:
Not only will these policies help your company handle security efficiently, it will help show auditors how your organization handles security.
These documents are required by HIPAA. A risk analysis finds potential security risks present in your organization, and a risk management plan addresses how you plan to handle these risks.
Having these documents shows your auditor you’re actually fulfilling the HIPAA requirements, you understand what risks may be present in your organization, and how you’re handling potential security issues.
Once the risk assessment is complete, review and update your organization's policies, procedures, and documentation. Make sure these policies are comprehensive, clear, and easily accessible to all staff members.
See also: 5 Steps to Making a Risk Assessment
Conducting audits within your organization can help you find resolvable problems in your security before your audit. It’s best to do these audits periodically to find new issues that may appear.
Consider the following:
Consider these categories in particular as you think about your vulnerabilities, threats, and risks:
I always advise entities to engage a third party security expert to help with conducting a proper security assessment. A security assessor will have experience in HIPAA (and many other security mandates) and will be able to see your organization from an external view (which is what malicious attackers are doing).
HIPAA audits can be difficult for both the auditors and the organization involved, but taking the proper steps to prepare yourself will help your audit become less of a headache.
Remember, the point of an audit is to help your organization become more secure, protecting you, your workforce members, and ultimately your patients.
.svg)
