Define your HIPAA Audit Scope

Overview

Audit scope definition is always part of any audit. The scope sets the boundaries of the audit and identifies the object in focus.

The object can include the people, data, system or product in review. The scope definition allows the auditors to focus on an aspect of the organization rather than the whole. This is why it is important to clearly define the scope in review for your given audit.

Determining your HIPAA audit scope requires your organizations to specify the product, the data, the systems, vendors and type in scope.

Read below for guidance on how to determine each scope item. A table listing each item is provided down below to use as a template for this exercise.

Product(s) in scope

This should be relatively easy.  For a Software as a Service (SaaS) provider, the scope is typically the software application(s) offered to clients. Some  organizations have multiple products and it is important to define for your HIPAA, what product is in focus and what product isn’t.

Data in scope

In order to identify the data in scope, the ideal step is to focus on the type of data and people that flow through the product or service identified.  For a (SaaS) provider, it’s typically all the data held in it (i.e customer data, etc..)  and the people that support it such as vendors, employees.

Systems in scope

To identify all your systems in scope, take an  inventory of all the various systems and internal controls that are critical to delivering your service or product in scope. This could include email, Slack, the key is the focus on the systems and tools that are essential in delivering your service / product.  Production systems have a direct impact on your product or service in lieu or non-production systems.

For HR systems, focus on systems that manage employee’s onboarding and training processes. Everything else such as time off requests, benefits are out of scope since they are not critical to delivering service or  product.

For a (SaaS) provider, it’s typically all the infrastructure that hosts it and the procedures that support it such as AWS, Github, JIRA etc..

Vendors in scope

In order to identify the vendors in scope, focus on the critical vendors such as cloud hosting, production related companies used to support the product or service in scope.

Are you a business associate or a covered entity?

Scoping will drastically change based on whether you qualify as a covered entity or a business associate.

Covered entities include, but are not limited to:

• Healthcare providers such as hospitals, clinics, doctors offices, pharmacies, and home health agencies.
• Health plans such as government programs that pay for healthcare, health insurance companies, health maintenance programs, and military and veterans’ health programs.
• Healthcare clearinghouses, i.e. organizations that act as the go-betweens for healthcare providers and insurance providers.

Business Associates performs services on behalf of covered entity and include, but are not limited to:

• Third-party administrators
• Billing companies
• Transcriptionists
• Cloud service providers
• Data storage firms – electronic and physical records
• EHR providers
• Consultants
• Pharmacy benefits managers
• Claims processors
• Collections agencies
• Medical device manufacturers

Use the HHS question and answer decision tool to determine whether your organization is a Business Associate or a Covered Entity. This is a determination that must occur with your Legal department.

HIPAA Rule in scope

The HIPAA regulation is composed of three rules: Privacy, Security and Breach Notification rules.

• Security Rule is mandatory for both covered entities and business associates
• Privacy Rule is mandatory for covered entity only
• Breach Notification Rule is mandatory for covered entity and optional for business associates

Scoping guidance template