A critical part of achieving HIPAA compliance is completing a security risk assessment at least once yearly. Not only is it a good idea, but also because it’s a requirement of the HIPAA law.
A HIPAA compliance audit checklist can help you work through the security risk assessment process and reveal potential gaps. Here are some things you must include if you’re building a HIPAA audit checklist.
HIPAA Audit Checklist Privacy Rule Standards
On the surface, the HIPAA Privacy Rule seems straightforward:
- It defines the patient data that constitutes protected health information (PHI)
- It defines the appropriate use or disclosure of PHI
- It gives patients the right of access to their PHI
The law defines up to 14 standards that organizations must comply with if they are subject to the HIPAA Privacy Rule. The standards differ depending on the organization and how they use patient PHI.
A dental office and a document storage company might have different standards to meet. But the terms of a business associate agreement between the two might add additional standards that must be met.
HIPAA Audit Checklist Security Rule Standards
While the HIPAA Privacy Rule focuses on what to protect (PHI), the HIPAA Security Rule addresses how PHI is protected by establishing a set of standards for confidentiality, integrity, and availability of ePHI.
The goal is to prevent patient PHI from being accessed and used inappropriately. Cybercriminals use ransomware, malware, hacking, and phishing to access ePHI. The methods used to protect this information vary based on where the information is stored. At a minimum, this should include antivirus software, firewalls, multi-factor authentication, role-based access controls, and zero-trust strategies.
HIPAA Audit Checklist Breach Notification Rule Standards
HIPAA rules and regulations aim to protect PHI and prevent its breach. But the reality is that breaches do happen. The lawmakers understand this, and the HIPAA Breach Notification Rule addresses determining if a breach has occurred and what should be done if it has.
This rule defines specific reporting requirements depending on the size and scope of the breach. Failure to follow the provisions of the Breach Notification Rule has been a contributing factor in some of the most significant HIPAA fines on record.
HIPAA Audit Checklist Administrative Standards
HIPAA’s mandated requirements are extensive. But it is just as important to document all of your efforts administratively. Here are just a few administrative requirements you must have to achieve HIPAA compliance:
1. Every HIPAA compliant organization must have a designated HIPAA Compliance Officer. This role can be combined with those of a Privacy or Security Officer.
2. You must have written policies and procedures that address the following:
-
- Permissible Uses and Disclosures of PHI
- Procedures for Obtaining Authorizations
- Notices of Privacy Practices
- Responding to Requests for Privacy Protection
- Responding to Right of Access Requests
- Accounting of Disclosures
- Reporting Security Incidents
- Response and Corrective Action for Violations of Policy
- Emergency Action Plans
3. You must provide annual training to all employees on your policies and procedures, identification of PHI, and security awareness.
4. You must have signed Business Associate Agreements with vendors that possess, use, analyze or store PHI.
5. You must fully document all of your measures and have them available for audit by investigators with the HHS Office for Civil Rights.
Why It’s Easy to Miss Items on Your HIPAA Audit Checklist
One thing that’s confusing about HIPAA compliance is that the law is a pass-or-fail undertaking. Every organization that is subject to the law must fully comply with the law regardless of size.
The same standard applies to a large national hospital corporation, a single-provider clinic, or a document storage vendor who serves either of them. As you can imagine, the process of achieving compliance will be very different, as will the items that must be considered.
Instead of building your own checklist, Compliancy Group has built a practical checklist that fully addresses the requirements of HIPAA. We built our checklist, and the security risk assessment tool within our online HIPAA compliance solution, “The Guard” using the same standard used by OCR auditors to evaluate compliance.
Our software enables you to achieve HIPAA compliance by completing a series of tasks specifically developed based on the needs of your business. This is not a one-size-fits-none template but a complete compliance solution for your organization.
Let us be your partner in achieving HIPAA compliance. During our 18 years in business, we have never had a client who followed our process fail an OCR audit or be fined.
