HIPAA Compliance Audit
Posted by | Featured | No Comments

Introduction 

Did you just get picked for a HIPAA Compliance Audit? Don’t worry! This comprehensive guide will help you sail through this audit smoothly. This blog will offer you insights into the nitty-gritty of HIPAA compliance audit, including the reasons behind the audit, the criteria for the same, common violations, and best practices to follow. 

Get ready to take a deep dive into the world of HIPAA compliance audits! 

What is a HIPAA Compliance Audit? 

A HIPAA Compliance Audit is an annual audit that is conducted by the US Health and Human Services Office for Civil Rights. This exercise examines how business associates and covered entities handle the exchange and storage of ePHI. 

US Health and Human Services or HHS is a federal agency that works with the mission to improve the overall health and well-being of Americans, by providing services at the local level. 

The Office for Civil Rights is responsible for enforcing civil rights laws in multiple departments such as state, health and human services, and education.

ePHI or Electronic Patient Health Information includes any information related to a patient such as their name, address, age, health conditions, insurance details, and more. 

Should You Undergo A HIPAA Compliance Audit? 

Well, it’s not a choice that you can make. Organizations get picked by OCR for the audit. If you get chosen for the HIPAA compliance audit, you must respond to the OCR within 10 days. 

The OCR undertakes the task of picking up organizations for the HIPAA compliance audit periodically. The question is, would you be on OCR’s list for the audit? The answer is yes if you’re a Covered Entity or a Business Associate. 

Examples of Covered Entities: 

  • Healthcare providers 
  • Healthcare organizations
  • Health insurance companies 
  • Healthcare clearing houses 

Examples of Business Associates: 

  • Consultants 
  • Attorneys 
  • Texting service providers 

Being HIPAA-compliant is a necessity if you fall in either of the above categories. You must be mindful of the fact that you’re responsible for all ePHI and any carelessness will only land you in trouble. There are 4 main HIPAA rules related to PHI that you should know by now. 

#1: The HIPAA Privacy Rule: This rule outlines the standards for protecting sensitive PHI and implementing appropriate safeguards and conditions for the use and disclosure of PHI (For example: Getting explicit patient consent). It also reflects upon the patients’ rights to review their health records and suggest corrections, if any. 

#2: The HIPAA Security Rule: This rule establishes the national standards for protecting the patient’s ePHI that is obtained and used by a Covered Entity. It sets comprehensive and scalable standards for safeguarding ePHI which are as follows: 

  • Administrative safeguards: Developing policies and procedures for security standards, training, access management, and contingency plans. 
  • Technical safeguards: Automated processes such as audit controls, access control, authentication controls, and encryption/decryption to protect ePHI. 
  • Physical safeguards: Having mechanisms in place to protect electronic systems, equipment, and buildings, from any threats.  

#3: The Breach Notification Rule: This rule requires that both Business Associates and Covered Entities notify patients of any breach of PHI. This includes unauthorized acquisition, use, or disclosure of PHI.

How Does The HHS Select Organizations For HIPAA Audits? 

When it comes to selecting Business Associates or Covered Entities, the HHS follows a range of criteria which include the following: 

  • Size of the organization – Whether it’s a small, medium, or large organization
  • Type of the organization – Whether it’s a healthcare clearing house, a healthcare provider, or a health plan; public or private 
  • Random selection – You can be selected randomly too, even though there are no security breaches or complaints in your organization. 
  • Affiliation – Whether the organization is affiliated with any other healthcare organizations
  • History with OCR – Whether the organization has had any interactions with the OCR in the past 
  • Geographic location – The OCR takes into consideration the geographical location of the organization 

What Happens When You Get Selected For A HIPAA Compliance Audit? 

A HIPAA compliance audit includes both onsite and desk visits, during which the OCR will examine your organization’s processes, policies, and controls. OCR conducts such audits to ensure that their chosen organization complies with the HIPAA security, privacy, and breach notification rules. 

Steps followed by the OCR 

  1. The OCR sends you a questionnaire wherein you need to fill in details pertaining to the size and type of your organization, and the nature of your operations. (If you fail to respond to the questionnaire, the OCR might create an audit pool by using publicly available information)
  2. The OCR then requests the relevant documents to examine your organization’s processes, policies, and controls.
  3. It then reviews those documents, starts an on-site evaluation, develops findings, and shares them with you.
  4. You need to respond to the findings and your response is recorded in the audit report. 
  5. A final report includes OCR’s findings, the organization’s reports, and corrective measures to undertake. 
  6. You adhere to the findings and implement the corrective actions suggested by the OCR. 
  7. Any failure to comply with the action results in legal action and heavy penalties. 
What auditors evaluate in a HIPAA compliance audit

Common violations found by auditors

  1. Lack of encryption: Some organizations use platforms that lack encryption while exchanging PHI, which means such information can be easily intercepted by unauthorized individuals. 
  2. Inadequate access controls: Organizations are usually unaware of the fact that they need to implement access controls; basically administer who all can access PHI, and any lack of such controls in place is a violation of the HIPAA rules.  
  3. Failure to conduct risk assessments: All organizations need to conduct risk assessments periodically to identify and manage potential security risks pertaining to PHI and ensure HIPAA compliance. Any failure in that regard is a violation. 
  4. Using unsecured texting platforms: A lot of organizations use text messaging services that do not offer features such as secure text messaging. An absence of such a feature limits the kind of information that can be shared and is shared, it can fall into the wrong hands. 
  5. No records maintained: Organizations are required to keep detailed conversation records, and any absence of discrepancies in the same can result in a violation.  
  6. Absence of BAA: Not having a Business Associate Agreement between a Covered Entity and a Business Associate is fundamentally a non-compliance of the HIPAA rules. The absence of such an agreement can result in serious penalties. 
  7. Inadequate employee training: In many OCR findings, it appears that employees who handle PHI are not being trained adequately, and not familiarised with the intricacies of HIPAA compliance. This lack of training can lead to inefficiencies in the overall operations of the organization. 

What Happens If You Fail A HIPAA Compliance Audit? 

  1. Corrective actions: Based on the findings and suggestions of the OCR, you need to prepare a corrective action plan, addressing compliance inadequacies. 
  2. Civil monetary penalties: If the violations found are serious, you might be fined. The amount of penalties depends on the nature and severity of the violation. The penalties can range from $137 to $2,067,813. 
  3. Criminal penalties: If the violations are intentional, then the fines can be heftier, including potential imprisonment.  
  4. Referral to the DOJ: One can also refer the matter to the Department of Justice for further investigation. 

How To Ensure HIPAA Compliance? (A Complete Checklist)

Looking for a complete HIPAA compliance audit checklist? Here’s how you can ensure compliance if you get picked for a HIPAA audit: 

Conduct regular internal audits and assessments 

As an organization, it is important that you conduct internal audits to ensure that you’re complying with the HIPAA rules. These audits must be performed on a regular basis and all results must be properly documented. 

With these internal audits, you must also have a risk management policy in place to tackle a potential data breach and must include a comprehensive account of the requisite protocols to protect ePHI. 

Appoint a HIPAA Security Officer 

It is important to appoint a HIPAA Security Officer who is accountable for ensuring and maintaining the integrity of ePHI. The officer must possess a comprehensive understanding of HIPAA Compliance. 

The Security Officer must: 

  • Ensure the proper enforcement of security and privacy policies 
  • Reporting and investigating data breaches whenever required 
  • Completing regular risk assessments 
  • Preparing a disaster recovery plan 

Ensure necessary safeguards to protect ePHI 

Make sure that you introduce the required safeguards in place to ensure data confidentiality, availability, and integrity. Let’s see what these safeguards are: 

Safeguards to protect ePHI

Understand which rules apply to your organization 

You first need to verify if your organization qualifies as a business associate or a covered entity. If you’re a Covered Entity, you need to protect all patient information, electronic and non-electronic. If you’re a Business Associate, you need to have a BAA in place and also comply with the HIPAA Privacy Rule. 

Conduct HIPAA risk assessments

Risk assessments are a great way to understand if your organization is vulnerable to data breaches. This will help you ensure the implementation of all necessary safeguards to protect PHI and have all controls in place. Here’s how you can conduct HIPAA risk assessments: 

  1. Define where the PHI is stored and shared 
  2. Identify the potential threats to PHI 
  3. Examine the security measures in place and identify gaps 
  4. Assign a risk level to each threat 
  5. Prioritize the risks based on their levels 
  6. Implement the required measures to mitigate those risks 

Maintain detailed records 

Make sure to document all improvements pertaining to the privacy and security of data. Here’s what you need to constantly monitor:  

  • Compliance training sessions 
  • Entities having access to PHI 
  • Policy revisions 

Train your employees 

It is imperative that you train your employees who handle ePHI and give them a comprehensive understanding of HIPAA rules and procedures. Help them understand the difference between compliant and non-compliant behaviour with respect to dealing with PHI. Also familiarize them with the consequences that follow as a result of violating HIPAA rules. This training can be done periodically or annually. If you train your employees well, you will never run into trouble. 

Report security incidents 

If you happen to discover a security breach, don’t hesitate to report the same within 60 days. You need to submit a report explaining the breach and have an internal investigation as well. The report will trigger an investigation from the OCR, which will then suggest corrective actions. This process will help you address the issue properly and restore compliance. 

Frequently Asked Questions

What triggers a HIPAA audit?

A HIPAA audit can be triggered by a variety of factors, such as: 
– A complaint filed by a patient 
– A data breach affecting more than 500 patients 
– If entities have a history of non-compliance 
– Operational changes in organizations 
– Random selection 

Does HIPAA require annual audits?

Yes, it is advised to conduct HIPAA audits at least once a year. If the organization is fairly large, then they have have internal audits twice a year. 

How to prepare for a HIPAA audit?

Conduct risk assessments, train your employees, appoint a HIPAA security officer, review your policies and procedures, implement the required safeguards for data protection, and report all breaches. 

What are audit controls for HIPAA compliance?

HIPAA audit controls are the procedural mechanisms as required by the HIPAA Security Rule. These controls need to be implemented to examine and record all activity in information systems containing PHI. 

Are text messages HIPAA compliant?

No. Text messages are not-compliant by default. You can ensure HIPAA-compliant texting by limiting PHI in texts, using secure texting platforms, and implementing all safeguards to protect PHI. 

What are the rules for emails and texting with health information?

Here are the rules for texting and email in a HIPAA compliant manner – 
– Get the explicit consent of patients 
– prevent unauthorized access by encrypting PHI 
– Implement access controls 
– Have separate PIN numbers for authorized users

Are text messages part of the medical record?

Yes, text messages containing information about patient care are a part of the medicakl record. These messages typically are the ones exchanged between the medical team and the patients. 

Conclusion  

A HIPAA Compliance Audit is a requirement for every organization that stores and shares PHI. You don’t get to choose whether you want to undergo an audit, you have to. If you fail the audit, you need to deal with the consequences, depending on the severity of the violation. As an organization, it is your duty to take PHI very seriously and ensure HIPAA compliance, no matter what. We hope this guide has helped you with all you needed to know about HIPAA compliance audits. Looking forward to ensuring HIPAA compliance while texting? Book a quick call with us here and chat with an expert! 

Leave a Reply

Your email address will not be published. Required fields are marked *