Preparing for a HIPAA audit

Preparing for a HIPAA audit is simplified with TrustCloud! Learn more about TrustCloud’s TrustOps for HIPAA! If you’ve been through an audit in the past, you are well aware of how tedious and time-consuming the process can be for you and your team.

The People

When pursuing HIPAA compliance, you may want to consider appointing a compliance and/or security officer to lead the effort. This can be done by a compliance and/or security officer or by the team.

The compliance officer is responsible for developing any required procedures, conducting a risk assessment in coordination with senior management, investigating any incidents resulting in a breach, and reporting when a breach occurs.

The security officer is responsible for developing security policies, conducting training, creating a disaster recovery plan, testing systems, and implementing mechanisms to prevent unauthorized access to PHI.

The Process

The process is broken down into three major components:

Step 1: Understanding HIPAA security rule

TrustCloud supports and helps guide you in the process of being compliant with the Security Rule of HIPAA. The security rule is mandatory for all covered entities and business associates. Refer to the HIPAA Overview document to refresh your knowledge of the different parts of HIPAA.

It is important for you to spend time understanding the HIPAA Security Rule and knowing what constitutes a breach of ePHI and how to report a breach to the OCR if it occurs. The HIPAA Security Rule contains three required standards for implementation.

The Security Rule requires the implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical.

Administrative Safeguards

The Security Rule administrative safeguard provisions require Covered Entities (CE) and Business Associates (BA) to perform a risk analysis before considering any specific administrative, physical, or technical safeguards under the HIPAA Security Rule. The risk analysis should be an ongoing process.

Physical Safeguards

The physical safeguards protect the physical security of your offices, where ePHI is stored or maintained. The safeguards include controls related to facility access and workstation security.

Technical Safeguards

The Technical safeguards include measures, including firewalls, encryption, and data backup, to implement to keep ePHI secure. The safeguards include controls related to access controls, audit controls, integrity controls, and transmission security controls.

Step 2: Prepare Materials

In this step, you will create a list of controls and policies to adopt, gather required evidence artifacts, document all necessary procedures, and provide adequate training to your team. TrustOps helps you automate much of this process and automatically maps your controls to the Code of Federal Regulations to make it easy for you to assess your systems, policies, and procedures. If you’re not a TrustOps user yet, contact the TrustCloud team. 

Step 3: Complete the internal review.

Whether or not you choose to do an independent assessment, you must first conduct a thorough internal review to ensure that you are meeting all requirements. The internal audit review analyzes your gaps against HIPAA (as well as other compliance standards such as HIPAA) and could be used as your self-assessment.

The Audit

An organization can self-attest to HIPAA or choose a third-party independent assessor to perform HIPAA audits once every year. The outcome of the annual review of your HIPAA controls and program is a HIPAA attestation report, not a certification.

HIPAA audits can also occur as a result of random selection by the Office of Civil Rights (OCR).