How to choose your independent HIPAA assessor?
If you opt to be independently assessed, you will find that the audit process can be nerve-racking. The auditor will review controls, policies, and other artifacts in your program, verify them against submitted evidence, and conduct tests of their own to ensure that you are meeting the requirements for the HIPAA rule(s) you want to achieve.
Here are a few things you should consider when selecting an auditor:
- Accreditation: An independent attestation report is issued under the AICPA attestation standards, which are designed to allow a CPA firm to determine an organization’s compliance with the HIPAA requirements.
- Find a reputable firm. It doesn’t have to be a brand-name firm. One with a good reputation will suffice. If you need guidance in this area, we’re happy to provide some recommendations.
- Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of HIPAA, how to evaluate your controls against its requirements, and any applicable best practices.
- Auditors are like snowflakes; no two are alike. It’s important that your auditor understands your business, so they can expertly assess if there are any gaps or deficiencies.
What does the assessor look for?
Auditors are guided by the IIA standard Code of Ethics, which tasks auditors with being independent and objective. The documentation you developed as evidence is seen by an auditor as proof that a particular control exists, and helps them evaluate operational effectiveness (whether or not the control is performing as it should).
Using a combination of techniques, an auditor obtains an in-depth understanding of your program and how it fits into the HIPAA framework. These techniques may include:
- Observation: Observing you perform a task relevant to specific control.
- Inquiry: Interviewing you or your team to learn about a specific process.
- Inspection: Requesting evidence of compliance with a control.
In order to satisfy the auditor’s needs, it’s imperative that documentation is both complete and accurate. The source of the information in the document has to be identified and verified, the content of the document must be written with integrity, and the documentation has to be easily accessible and retrievable for audit purposes. At the end of the day, you want your auditor to come to the same conclusion about the state and health of your information security program as you would. It’s your job to help them come to that conclusion.
Once an auditor has determined that your controls, policies, and procedures meet all applicable requirements, they will give you their stamp of approval. You have now achieved HIPAA compliance. Congratulations!
But… wait. There’s more.
Join the conversation