Auditing for HIPAA compliance

April 26, 2017
Katherine Downing, MA, RHIA, CHPS, PMP
IG Advisors Senior Director, AHIMA

Since the Office for Civil Rights (OCR) announced its Phase 2 HIPAA Audit Program in March 2016, selected entities were and will continue to be audited on their compliance with HIPAA’s privacy and security rules. OCR did a randomization of all covered entities (CE) as well as their business associates (BA) and selected 167 covered entities for desk audits as well as approximately 40 business associates. Selected entities were contacted via email by OCR and asked to submit documentation via the OCR portal within 10 days of receipt of the request. The requested documentation presented several challenges for the selected CEs, including the turnaround time, requested formats, and information gathering.

The 2016 desk audits were just the beginning of the OCR’s audit plan. On-site audits are expected to begin this year. CEs and BAs may be subject to both types of audits. Privacy, security, and compliance officers need to ensure that they develop and implement regulation requirements, review existing practices, and “kick the tires” to ensure that CEs continue to be HIPAA compliant.

In February, the American Health Information Management Association (AHIMA) released an External HIPAA Audit Readiness Toolkit, designed to provide details about external HIPAA audits and to include government resources and other tools to help an organization prepare for any external HIPAA audit. This toolkit enables the user to understand the requirements for OCR HIPAA Phase 2 audits, including ongoing future audits, and offers guidance regarding audit preparation and recommended practices.

To ensure success with an external OCR audit, every organization should complete internal HIPAA audits using the OCR audit protocols as well as auditing against HIPAA policies. The goal is to identify and mitigate risks and assess internal compliance with policy.

Two HIPAA internal audit case studies

Organizations are investing time on internal audit processes for HIPAA compliance to minimize risk to the organization’s information and reduce the risk and costs of breach and noncompliance.

The two organizations interviewed for this case study indicated the following:

  1. User access audits are a key aspect of an internal audit.
  2. “Walk through” audits are key to recognizing employees’ understanding of the organization’s HIPAA policies and procedures as well as how policies are being implemented throughout the organization.

Auditing user access

There are two steps to reviewing user access. The first is identifying which patients a user accessed in the system. The second aspect is analyzing what a user has the rights to access based on his/her user profile in the system.

Both organizations in this case study have invested in third-party software to monitor user access and provide automated alerts on access risk areas such as employees as patients, VIP patients, managers and organizational leaders as patients, employees who have been terminated, patients with the same last name of the user, patients with the same or similar address to the user, and more. The organizations also have open communications with their human resources departments about employees who are high risk for inappropriate access such as disgruntled employees.

In addition to the automated system audits, the privacy officers also perform audits and random review of access quarterly.

Part of implementing an information governance program in the organization is a review of how users are set up with system access and user group standard access. Often “access creep” occurs where users gain more access than is needed to do their current job function. This can happen as a result of job parameter changes or an employee that moves from job to job in the organization but instead of taking away certain functions additional functions are added.

Walk about audit processes

Both organizations interviewed indicated each area of the organization is visited every 12-18 months during a walk about. This includes the hospital, home health, physician practices, corporate, and other organizational entities.

This internal audit process reviews both compliance with policy as well as security safeguards in place. During these internal audits, the privacy and security officers make sure that PHI and shredding are secure, screens are pointed away from the public, PHI on white boards is per policy, and sign-in sheets are being handled per policy. They also observe interactions with patients and visitors and make sure the notice of privacy practices is posted per HIPAA requirements and that its distribution is per policy. In addition, the auditors ensure that confidential information, such as reason for visit, cannot be overheard.

The staff is interviewed and asked nine questions including the following:

  • How do you report a real or suspected privacy or security issue?
  • How do you release information to patients?
  • What can you leave on a patient’s or family member’s answering machine?
  • How do you verify callers requesting patient information over the phone?
  • Where do you find privacy and security policies?

From a security perspective, the auditors make sure that computers that are unattended have been logged off per policy, passwords are not “taped to the keyboard,” printers and fax machines are not where the public could remove confidential information, that locked rooms are indeed locked, and that badge access to secure areas is being utilized.

Sponsored Recommendations

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...

Spotlight on Artificial Intelligence

Unlock the potential of AI in our latest series. Discover how AI is revolutionizing clinical decision support, improving workflow efficiency, and transforming medical documentation...

Beyond the VPN: Zero Trust Access for a Healthcare Hybrid Work Environment

This whitepaper explores how a cloud-enabled zero trust architecture ensures secure, least privileged access to applications, meeting regulatory requirements and enhancing user...

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...