Preparing for a HIPAA audit
If you’ve been through an audit in the past, you are well aware of how tedious and time-consuming the process can be for you and your team. If not, think of the great joy brought on by lots and lots of spreadsheets.
The People
When pursuing HIPAA compliance, you may want to consider appointing a compliance and/or a security officer to lead the effort. These functions can be done by the same individual, or the work can be divided within the team.
The role of compliance officer will be responsible for developing any required procedures, conducting a risk assessment in coordination with senior management, investigating any incidents resulting in a breach, and reporting when a breach occurs.
The role of security officer will be responsible for developing security policies, conducting training, creating a disaster recovery plan, testing systems, and implementing mechanisms to prevent unauthorized access to PHI.
The Process
The process can be broken down into three major components:
Step 1: Understanding HIPAA security rule
If this wasn’t clear, TrustCloud supports and helps guide you in the process of being compliant with the Security Rule of HIPAA. The security rule is mandatory for all covered entities and business associates. Refer to the HIPAA overview document for a refresher on the different parts of HIPAA.
It is important for you to spend time understanding the HIPAA Security rule and know what constitutes a breach of ePHI, and how to report a breach to the OCR should it occur. The HIPAA Security Rule contains what are referred to as three required standards of implementation.
The Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical.
Administrative Safeguards
The Security Rule administrative safeguard provisions require Covered Entities (CE) and business Associates (BA) to perform a risk analysis before considering any specific administrative, physical, and technical safeguards under the HIPAA Security Rule. The risk analysis should be an ongoing process.
Physical Safeguards
The physical safeguards protect the physical security of your offices where ePHI may be stored or maintained. The safeguards include controls related to facility access and workstation security.
Technical Safeguards
The Technical safeguards include measures – including firewalls, encryption, and data backup – to implement to keep ePHI secure. The safeguards include controls related to access controls, audit controls, integrity controls and transmission security controls.
Step 2: Prepare Materials
In this next phase, you will create a list of controls and policies to adopt, gather required evidence artifacts, document all necessary procedures, and provide adequate training to your team. If you’re a TrustOps user, we’ve got your back. TrustOps helps you automate much of this process, and automatically maps your controls to the Code of Federal Regulations to make it easy for you to assess your systems, policies, and procedures. If you’re not a TrustOps user yet, call us… we’d love to have your back, too.
Step 3: Complete Internal Review
Whether or not you choose to do an independent assessment, you must first conduct a thorough internal review to ensure that you are meeting all requirements. The internal audit review you get when you work with us analyzes your gaps against HIPAA (as well as other compliance standards such as HIPAA), and could be used as your self-assessment.
The Audit
Company can self- attest to HIPAA or choose a third party independent assessor to perform HIPAA audits once every year. The outcome of the annual review of your HIPAA controls and program is a HIPAA attestation report, not a certification.
HIPAA audits can also occur as a result of random selection by the Office of Civil Rights (OCR).
