What are the HIPAA audit requirements?

Conducting HIPAA audits verifies covered entities and business associates' compliance with the set HIPAA regulations. Adhering to these audit requirements helps preserve patients' protected health information (PHI), reduce the risks of data breaches, and ensure conformity with the stipulated provisions of HIPAA standards for both parties involved.

Who is audited?

Every covered entity and business associate is eligible for an audit.

The selection process

• Random selection: The Office for Civil Rights (OCR), which enforces HIPAA, may employ a random selection process to choose entities for audit. This can include covered entities as well as business associates.
• Pre-audit questionnaire: Selected entities may receive a pre-audit questionnaire seeking information about their operations, privacy, and security practices. This helps OCR assess the entity's risk profile and determine the scope of the audit.

What do auditors look at?

Administrative safeguards (Security Rule)

• Security management process: This involves the development and implementation of security policies and procedures.
• Security risk analysis: Entities are expected to conduct a comprehensive risk analysis to identify and mitigate potential risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
• Security risk management: Following the risk analysis, entities must implement measures to manage and mitigate identified risks.
• Information security officer: Designation of an individual responsible for overseeing the entity's information security program.
  
  

Physical safeguards (Security Rule)

• Facility access controls: Limiting physical access to facilities and electronic information systems.
• Workstation security: Implementing policies and physical safeguards to protect electronic information on workstations.
• Device and media controls: Safeguarding the movement and disposal of hardware and electronic media containing ePHI.
  
  

Technical safeguards (Security Rule)

Access control: Implementing procedures to limit access to ePHI.

Audit controls: Implementing mechanisms to record and examine system activity.

Integrity controls: Implementing measures to ensure the integrity of ePHI.

Transmission security: Implementing safeguards to protect ePHI during transmission.

Policies and Procedures (Privacy and Security Rules)

Privacy Rule compliance: Assessing adherence to the Privacy Rule, which governs the use and disclosure of PHI.

Security Rule compliance: Ensuring compliance with the Security Rule, which addresses the protection of ePHI.

Breach Response and Reporting

Incident Response: Assessing the entity's ability to respond to and contain security incidents.

Breach Notification: Ensuring that the entity has processes in place to promptly notify affected individuals and the appropriate authorities in the event of a data breach.

Documentation and Record-Keeping

Documentation of policies and procedures: Auditors check whether the entity has documented policies and procedures in place.

Training records: Verification of staff training records related to HIPAA compliance.

Go deeper: 

• What is the HIPAA Security Rule?
• What is the HIPAA Privacy Rule?
• What are administrative, physical and technical safeguards?
  
  

Audit requirements

Learn the HIPAA compliance rules

In 1996, the US Congress passed the HIPAA legislation with two main objectives: streamlining medical operations and ensuring continuity of healthcare insurance when changing jobs. The Department of Health and Human Services (HHS) has since incorporated a set of compliance regulations to enforce PHI security measures and protect privacy.

• Privacy Rule: The HIPAA privacy rule ensures that healthcare providers safeguard the privacy of patient data. The rule outlines what healthcare providers can disclose about the patients’ data and how they can use it. It also guarantees the patients the right to access their PHI and medical records. The rule requires healthcare organizations to formulate and implement written privacy rules, notify such regulations to their patients in writing, and train their staff regularly.
• Security Rule: This rule requires healthcare providers to secure their patients’ PHI. More specifically, it outlines the standards required to protect electronically protected health information (ePHI), specifying how the covered entities and business associates should handle, manage, and transmit it.
• Omnibus Rule: The omnibus rule outlines the role of business associates in HIPAA. HHS enacted these regulations in 2013 to address policy gaps that existed in earlier HIPAA rules. The omnibus rule also provides new provisions required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
• Breach Notification Rule: The breach notification rule stipulates actions that healthcare providers must take in the event their systems are breached. The rule specifies the timelines for reporting breaches to the Office for Civil Rights (OCR) and individuals whose PHI has been breached and what measures the healthcare provider is undertaking to restore normalcy.
• Enforcement Rule: This rule empowers HHS to enforce security and privacy rules. It authorizes the OCR to probe HIPAA complaints, undertake compliance reviews, levy fines on non-compliant providers, and carry out education and outreach activities. The OCR also refers to possible criminal violations of HIPAA to the Department of Justice (DOJ) for further actions.

Prepare for the HIPAA audit

There are six fundamental elements that you must consider to prepare for a HIPAA audit:

1. Implement robust policies, standards, and procedures: Develop administrative systems and processes meeting HIPAA compliance rules. Additionally, you need to ensure that your staff is trained routinely in all aspects of the HIPAA compliance processes.
2. Implement strong technical and physical measures: Ensure that all the data relating to PHI is foolproof. Implementing robust technical standards such as limiting access to ePHI to authorized personnel, monitoring access logs for irregular activities, or using strong encryption can help you remain compliant. Besides technical standards, you also need to implement physical safeguards, such as restricting users with physical access to certain offices and facilities.
3. Undertake HIPAA risk assessment regularly: Risk assessment should be an ongoing process where you review your healthcare records periodically. This can help you track which entities have accessed ePHI and detect security breaches while evaluating the effectiveness of your measures.
4. Report security breaches: Always notify the OCR and customers about any data breach whenever it occurs. You must also develop procedures that outline the organization's measures if the systems get attacked.
5. Investigate any violations and execute corrective measures: Investigate any identified violations thoroughly and take corrective actions.
6. Document everything: Document measures your organization has undertaken to address data breaches, contacts of all business associates, and HIPAA violations within your systems.

Related: HIPAA Compliant Email: The Definitive Guide