HIPAA Audit Checklist Security Rule Standards
While the HIPAA Privacy Rule focuses on what to protect (PHI), the HIPAA Security Rule addresses how PHI is protected by establishing a set of standards for confidentiality, integrity, and availability of ePHI.
The goal is to prevent patient PHI from being accessed and used inappropriately. Cybercriminals use ransomware, malware, hacking, and phishing to access ePHI. The methods used to protect this information vary based on where the information is stored. At a minimum, this should include antivirus software, firewalls, multi-factor authentication, role-based access controls, and zero-trust strategies.
HIPAA Audit Checklist Breach Notification Rule Standards
HIPAA rules and regulations aim to protect PHI and prevent its breach. But the reality is that breaches do happen. The lawmakers understand this, and the HIPAA Breach Notification Rule addresses determining if a breach has occurred and what should be done if it has.
This rule defines specific reporting requirements depending on the size and scope of the breach. Failure to follow the provisions of the Breach Notification Rule has been a contributing factor in some of the most significant HIPAA fines on record.
HIPAA Audit Checklist Administrative Standards
HIPAA’s mandated requirements are extensive. But it is just as important to document all of your efforts administratively. Here are just a few administrative requirements you must have to achieve HIPAA compliance:
1. Every HIPAA compliant organization must have a designated HIPAA Compliance Officer. This role can be combined with those of a Privacy or Security Officer.
2. You must have written policies and procedures that address the following:
- Permissible Uses and Disclosures of PHI
- Procedures for Obtaining Authorizations
- Notices of Privacy Practices
- Responding to Requests for Privacy Protection
- Responding to Right of Access Requests
- Accounting of Disclosures
- Reporting Security Incidents
- Response and Corrective Action for Violations of Policy
- Emergency Action Plans
3. You must provide annual training to all employees on your policies and procedures, identification of PHI, and security awareness.
4. You must have signed Business Associate Agreements with vendors that possess, use, analyze or store PHI.
5. You must fully document all of your measures and have them available for audit by investigators with the HHS Office for Civil Rights.
Why It’s Easy to Miss Items on Your HIPAA Audit Checklist
One thing that’s confusing about HIPAA compliance is that the law is a pass-or-fail undertaking. Every organization that is subject to the law must fully comply with the law regardless of size.
The same standard applies to a large national hospital corporation, a single-provider clinic, or a document storage vendor who serves either of them. As you can imagine, the process of achieving compliance will be very different, as will the items that must be considered.
Instead of building your own checklist, Compliancy Group has built a practical checklist that fully addresses the requirements of HIPAA. We built our checklist, and the security risk assessment tool within our online HIPAA compliance solution, “The Guard” using the same standard used by OCR auditors to evaluate compliance.
Our software enables you to achieve HIPAA compliance by completing a series of tasks specifically developed based on the needs of your business. This is not a one-size-fits-none template but a complete compliance solution for your organization.
Let us be your partner in achieving HIPAA compliance. During our 18 years in business, we have never had a client who followed our process fail an OCR audit or be fined.