Be Prepared: A Thorough Checklist for a HIPAA Audit

hipaa audit.jpeg

Many organizations generally have difficulty with their HIPAA audit and are unprepared to comply. Use this checklist to make sure you're ready in every way!

The word audit can strike fear into the bravest person's heart. We think of tax or accounting audits, and even when we know we've done everything right, there's a feeling of uncertainty that an audit inspires.

Medical professionals already assume a great deal of responsibility by treating their patients and maintaining good records. With those duties comes accountability for protecting patient data. 

Here at Assured Tech Services we know you've done well to guard your patient's protected health information, but have you ever prepared for a HIPAA audit using a checklist? Our list will help you check your compliance step by step and make sure you're prepared in case of an audit.

There are three sections of protection rules that you must understand and adhere to. These are Administrative, Physical, and Technical, and they are both mandatory and addressable. We'll go through each of these so you have a broad understanding of privacy expectations. If this is too overwhelming already, just give us a call at 248-243-7160.

Administrative Protections

Administrative protections represent more than half of all the HIPAA security requirements. You must identify a security official that takes responsibility for the policies and procedures required in this subsection.

Risk assessment - you must conduct a formal and comprehensive assessment for all your health data.

Risk management - you must have a risk management system and a clear policy for disciplining employees who ignore HIPAA regulations.

Disaster preparation - you must have a process to preserve continuity and handle patient data in case of disaster. You also must test this process.

Records access - you must make sure that PHI is not accessible to any outside parties such as your parent company or a contractor. Treat your partners as business associates and maintain signed agreements.

Incident documentation - you need to report incidents that could lead to a breach. Even if the data is not compromised, your company should take steps to prevent an exploit.

Physical Protections

These rules cover anyone that has physical access to your computers. Even your repair personnel and custodians can compromise patient data. The physical protection rules include:

Workstation management - you'll want to limit which workstations can access patient data. Screens also need to be guarded to prevent untrusted parties from reading them.

Mobile devices - You must have procedures to ensure all protected data is removed from mobile devices when they change hands.

Server tracking - You must document your data inventory and its location on your server if you do your own data management. You also must perform a clean data transfer.

Technical Protections

Many practices like yours use a managed service provider to handle their data storage and network needs. Managed service providers, or MSPs, offer cloud storage and software hosting that hackers can attack.

Your and your MSP share your ePHI over the internet. Hackers find increasingly innovative ways to get into networks and servers, so you and your MSP must agree on your HIPAA protection measures.

Your security officer is not free from responsibility even if your MSP is compliant. They will work as a business associate to make sure the provider meets HIPAA security standards. They will also be aware of any changes to hardware or software that might impact your ePHI.

User identity - You must have a system that identifies and tracks users that can access ePHI. These systems assign an ID number

Emergency access - All facilities need procedures that cover access to ePHI during an emergency.

Entity authentication - All facilities must have procedures that can verify the identity of anyone seeking access to ePHI.

Session control - Your system should log all user activity. The log must include the length of time protected data was accessed. Any changes to the data should also be part of the activity log.

Auto-logoff - There must be a set period of inactivity or access time before the system logs the user off.

Data encryption - All data that travels outside your or your MDPs firewall must be encrypted.

It's important to note that every vendor that handles your patient's PHI is a business associate under the law, and you must have and maintain a signed associate agreement with each one.  Each year your compliance officer should assess your vendors' performance and check to make sure they are still HIPAA compliant.

Handling a Data Breach

Hopefully, you won't ever experience a data breach. HIPAA regulations dictate that you must prepare in case you do experience one. The HIPAA Breach Notification Rule calls for healthcare providers to report any unauthorized ePHI access. Risk can involve a stolen computer or laptop, or a smartphone that was forgotten on public transportation.

A breach affecting fewer than 500 people requires the practice to notify the individuals and also report the incident to the Secretary of Health and Human Services. A breach affecting more than 500 patients requires the compliance officer to quickly contact the HHS Secretary and inform the local media if those 500 or more people live in the same area.

Penalties for Non-Compliance

The HIPAA Enforcement Rule defines four violation levels and their minimum fines. They are:

• Reasonably unaware of a violation, receiving a fine of $100 - $50,000

• Reasonable cause, defined by a situation that would have prompted a reaction by a normal person, receiving a fine of $1,000 - $50,000

• Willful neglect that is rectified within 30 days, receiving a fine $10,000 - $50,000

• Willful neglect that is left unmitigated, receiving a minimum fine of $50,000.

Prepare for Your HIPAA Audit

No provider wants their patient's data to be compromised. HIPAA audit preparation is a proactive measure that ensures your company is in compliance before you get audited. Use the checklist above to measure your compliance and gain an understanding of HIPAA expectations.

Explore available resources to help you decide where to start, where your procedures could improve, and who can conduct an independent audit for you. Assured Tech Services has a deep knowledge of HIPAA compliance and offers a range of tools to get you started.

Call us at 248-243-7160 to find out how to keep your ePHI safe. We offer IT services you can trust to be compliant. See how we can help your practice align with HIPAA requirements so that you can relax if you're faced with an audit.