How to choose your independent HIPAA assessor?

An independent HIPAA assessor or auditors review controls, policies, and other artefacts in your program, verify them against submitted evidence, and conduct tests of their own to ensure that you are meeting the requirements for the HIPAA rule(s) you want to achieve. Learn more about TrustCloud’s TrustOps for HIPAA!

Here are a few things you should consider when selecting an auditor:

1. Accreditation: An independent attestation report is issued under the AICPA attestation standards, designed to allow a CPA firm to determine an organization’s compliance with the HIPAA requirements.
2. Find a reputable firm. One firm with a good reputation is sufficient. If you need guidance in this area, TrustCloud provides some recommendations.
3. Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of HIPAA, how to evaluate your controls against its requirements, and any applicable best practices.
4. It’s important that your auditor understand your business so they can expertly assess if there are any gaps or deficiencies.

What does the assessor look for?

The IIA Standard Code of Ethics guides Auditors, which tasks auditors with being independent and objective. An auditor sees the documentation you developed as evidence, as proof that a particular control exists, and it helps them evaluate operational effectiveness (whether or not the control is performing as it should).

Using a combination of techniques, an auditor obtains an in-depth understanding of your program and how it fits into the HIPAA framework. These techniques may include:

1. Observation: Observing you perform a task relevant to specific control.
2. Inquiry: Interviewing you or your team to learn about a specific process.
3. Inspection: Requesting evidence of compliance with a control.

In order to satisfy the auditor’s needs, it’s imperative that documentation be both complete and accurate. The source of the information in the document is identified and verified, the content of the document is written with integrity, and the documentation is easily accessible and retrievable for audit purposes. It is important to get an auditor to come to the same conclusion about the state and health of your information security program as you do. You can help them come to that conclusion.

Once an auditor has reviewed your work and determined that your controls, policies, and procedures meet all requirements, they give you their stamp of approval. You have now achieved HIPAA compliance. Congratulations!