Whether you are a covered entity or a business associate, receiving a communique from the Office of Civil Rights can be stressful. Hearing from the enforcing authority of HIPAA, one of the most stringent healthcare regulations in the world, sure isn’t what your dreams are made of.
But on the off chance you do get selected for a HIPAA audit, what should you do? For starters, don’t panic. We have put together this guide on what you must do and how you could prepare for a HIPAA compliance audit.
Let’s dive in.
What is HIPAA Compliance Audit?
A HIPAA compliance audit is an annual exercise conducted by the US Health and Human Services (HHS) Office for Civil Rights (OCR) to examine how covered entities or business associates handle their protected health information (PHI and ePHI). PHI is any health information that identifies an individual (such as name, address, and health conditions), and is maintained or exchanged electronically or in hard copy.
HIPAA defines covered entities as healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically and generate, store, transmit and handle PHI. Business associates are service providers, vendors and entities that work on behalf of HIPAA-covered entities that involve the use or disclosure of PHI.
The OCR started conducting HIPAA audits in 2014. It audits business associates and covered entities periodically to ensure their compliance with HIPAA’s Privacy, Security, and Breach Notification rules, among others.
More often than not, it is the large healthcare organizations that get picked for random HIPAA audits. That said, organizations can be selected for a HIPAA audit program even if a complaint of violation is filed against them (by a patient, whistleblower, or employee). It’s important to note that a complaint doesn’t always come in the form of a formal complaint.
Wondering what happens if you get picked for an audit? Well, typically, the OCR first sends questionnaires to the selected organizations and decides to audit them based on the answers it receives.
In an audit, the OCR auditors thoroughly investigate your organization to ensure your compliance with all five HIPAA rules. The audit includes a review of your current policies and procedures regarding the confidentiality, integrity, and availability of PHI.
Here are the five main rules your organization must comply with to face your HIPAA audit confidently.
- Privacy Rule
- Security Rule
- Transaction Rule
- Identifiers Rule
- Enforcement Rule
- The Privacy Rule: This rule aims to prevent unauthorized use of PHI and medical records. Additionally, it gives individuals the right to access and edit their information, and requires organizations to take the patients’ consent before their data is shared with any third party. It also gives patients the right to file a complaint if their data is misused or shared without consent.
- The Security Rule: This rule defines best practices for storing, using, and securely sharing ePHI. It outlines measures to protect ePHI with administrative, physical, and technical safeguards.
- The Transaction Rule: To ensure that medical records are safe and secure, the transaction rule addresses standardized codes and how they must be used.
- The Identifiers Rule: HIPAA requires covered entities to have a unique identification number called the National Provider Identifier (NPI) to ensure that NPIs are used correctly during transactions.
- The Enforcement Rule: This rule outlines the provisions regarding the imposition of penalties for violations levied.
The other rule you must know of is the HIPAA Omnibus Rule which strengthens PHI’s privacy and security. It includes guidance and awareness on:
- Managing patient information for marketing purposes
- Reporting data breaches to HHS even if the breach is deemed harmless
- Responsibilities of business associates and subcontractors in the event of a breach
The audit report documents your efforts and may identify gaps or weaknesses in your current system. At the end of the audit, the OCR will send you its draft findings. You must develop and revise your policies and procedures within 60 days and revert to the HHS. Once your corrective action plan is approved, you have 30 days to implement the updated policies.
Failure to verify or comply with any of the above rules can result in hefty financial penalties against your organization.
Your best bet, therefore, is to consistently review and update your HIPAA policies and procedures, train staff on security measures, and promptly address any reported issues.
Why Do Companies Need to Go Through a HIPAA Compliance Audit?
Short answer: you don’t have much choice if you get picked for an audit! The OCR periodically selects organizations for audits to ensure compliance with federal law. Note that if selected for an audit, you will have just 10 days to respond to the OCR.
For example: In 2019, Anthem Inc., one of the largest health insurers in the US, was required to pay $16 million after failing a HIPAA compliance audit due to a security breach. And Anthem is just one among the many organizations that have paid severely for their oversights in HIPAA compliance.
How To Conduct HIPAA Compliance Audit
The key to passing your HIPAA audit with flying colors is to be HIPAA ready always. And so, the best time to prepare for an audit is before you’re in one.
Here are the 6 steps to complete HIPAA Compliance Audit in 2023:
- Appoint a HIPAA Security and Privacy Officer
- Conduct HIPAA Training for Employees to Make Them Understand HIPAA Guidelines
- Create a Risk Management Plan and Conduct a Risk Analysis
- Implement Periodic Review of Policies and Procedures
- Conduct an Internal Audit
- Create an Internal Recovery Plan
Step 1: Appoint a HIPAA Security and Privacy Officer
HIPAA mandates organizations to appoint a HIPAA security and privacy officer. In the past, it was commonly assumed that your company’s IT manager would be responsible for security and privacy by default. However, this is no longer the case, as overseeing these areas has become a much larger responsibility.
So, who should you appoint as a HIPAA privacy and security officer? The assigned individual(s) will take charge of handling all HIPAA-related issues, including protection of. ePHI and PHI.
Primary responsibilities of a HIPAA privacy and security officer includes:
- Develop and oversee your organization’s privacy policies and procedures
- Ensure that your security policies and procedures are adequate to protect the company’s PHI, and develop new policies and procedures where needed
- Annually train and monitor your organization’s workforce on HIPAA regulations
- Investigate possible breaches where ePHI or PHI may have been compromised
- Establish policies and procedures to protect PHI when privacy policies do not adequately address the issue
When appointing a candidate for this role, consider their experience, technical expertise, and ability to interact effectively with staff and executives. Remember, this officer(s) will be responsible for liaisoning with OCR during the audit.
Step 2: Conduct HIPAA Training for Employees to Make Them Understand HIPAA Guidelines
You must train your employees on HIPAA regulations, its many nuances and the implications of noncompliance. Comprehensive training ensures that all employees in your organization are up to date with the recent updates in the law as well as the best practices to ensure security of the PHI.
The first step to achieving this goal is to provide education and training materials to all employees, covering topics such as the rights of patients and how to handle confidential information. Ideally, every employee should get trained soon after their joining.
Here is a checklist of what your HIPAA training must accomplish.
- Ensure employees understand the importance of HIPAA and why it’s necessary to protect PHI
- Reviews the basics of HIPAA law and how it applies to your company
- Outlines the specific procedures and controls employees should follow when handling patient Information
- Explains the consequences of violating HIPAA rules
- Ensure employees are always updated on the latest changes to HIPAA law through regular training
Step 3: Create a Risk Management Plan and Conduct a Risk Analysis
Performing a security analysis is the next step in identifying any vulnerabilities. Each organization is different and its risk assessment processes vary in order to accommodate size, risks, and business needs. That’s why there is no “one-size-fits-all template” readily available.
Note: you need to maintain sound documentation that you have conducted your organization’s risk assessments and HIPAA risk analysis to produce during the audit.
So, here are five steps you can take to conduct a risk assessment:
- Map how your PHI flows and where it is created and transmitted. What happens to PHI in the system, how is it stored, and how does it leave the environment?
- Identify threats, risks, and vulnerabilities in your system, applications, and processes. Hackers, weak passwords, and disgruntled employees are all threats to your business.
- Decide and analyze your HIPAA risk level. To properly rank risks, consider both the probability of a threat occurring and its potential impact.
- Create a risk management plan and test your environment with vulnerability scans, penetration tests, and gap analysis.
- Document and outline everything.
By proactively managing risks, you will ensure the safety and security of your patient’s sensitive information stored in a HIPAA-compliant software. That you will clear your HIPAA audit is a happy incident.
Based on your risk analysis, you must implement the required safeguards and consider implementing the addressable ones.
Step 4: Implement Periodic Review of Policies and Procedures
As with any aspect of a successful business, it’s not enough to simply establish policies and procedures – you must also regularly review and refine them for maximum efficiency.
You can achieve this by implementing periodic reviews of policies and procedures. The OCR will review how your policies are being implemented and see how you’ve created a progression plan. This way, the OCR knows when progress is being made towards achieving the goal of new programs or policies.
For example, a company reviews employee training materials and tools annually to check for understanding of HIPAA policies and procedures.
By taking proactive steps to review and update policies regularly, organizations can show their dedication to maintaining HIPAA compliance and avoid any possible penalties during an audit.
Step 5: Conduct an Internal Audit
An internal audit allows you to identify and address potential risks or instances of non-compliance saving you both time and money. You can perform a security risk analysis to determine weaknesses in your internal audit process.
For example, do your employees know how to report a HIPAA violation?
An internal audit is conducted to identify areas where answers are needed and procedures can be updated. Some areas for review include technical safeguards for the protection of ePHI and the physical security of paper files, among others.
Step 6: Create an Internal Recovery Plan
A crucial part of HIPAA auditing is having a plan for further steps in case of a data breach or other violation. This internal recovery plan should outline specific steps to address and rectify the breach as well as prevent future occurrences.
For example, the plan may include steps for notifying affected individuals, reporting the incident to necessary authorities, conducting a risk assessment, implementing additional security measures, and providing staff training on compliance protocols.
Developing an effective internal recovery plan can mitigate damage in the event of a HIPAA violation and demonstrate an ongoing commitment to compliance during audits.
How Much Does a HIPAA Audit Cost?
HHS covers the cost of the on-site auditors. It is safe to note that neither covered entities nor their business associates bear the costs of a HIPAA audit.
But if you want to conduct an internal audit (by an external auditor) to review your HIPAA compliance, it could set you back by about $8000 over a four-six week period. Again, the cost of this audit can vary greatly depending on several factors. For example, a larger company with multiple locations and a complex network may require a more thorough audit, resulting in a higher cost than an individual practitioner’s office.
How long does it take to complete a HIPAA audit?
It takes roughly about a month to complete the HIPAA audit. As per OCR, organizations that get selected for audits, will have 10 business days to review and return written comments, if any, to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response.
Post this, OCR will share a copy of the final report with the audited entity.
Though onsite audits will be more comprehensive, the timeline for reviewing investigation findings and submitting comments is the same.
Types of HIPAA violations that can cause HIPAA audit
There are many types of violations in HIPAA, but here are some of the most common violations that you need to be aware of:
Disclosure and Unauthorized Access to PHI
A frequent HIPAA infringement is unauthorized access or revelation of PHI. HIPAA requires business associates and covered entities to ensure that authorized people have access to PHI.
For example, your employee may inadvertently mail a PHI to an incorrect recipient instead of the said patient. Now the incorrect recipient can access PHI without any authorization whatsoever. This is an example of the mishandling of medical records.
Lack of Security Measures
Another common HIPAA violation is a lack of security measures to protect PHI from unauthorized access or disclosure. Business associates and entities must implement physical, technical, and administrative security measures to protect PHI.
For example, a ransomware attack can infect your network servers by copying the patient record due to a lack of security measures. Or an employee may leave their laptop with PHI access open to public view, or a new employee might miss going through the HIPAA training.
Lack of Patient Authorization
HIPAA also requires obtaining patient authorization before using or disclosing PHI for most purposes. Authorization must be obtained from the patient in writing and the consent must specify the specific uses or disclosures.
Improper Disposal of PHI
You are also required to take steps to ensure the proper disposal of PHI. PHI should be shredded, burned, or otherwise destroyed so that it cannot be read or reconstructed. However, HIPAA requires you to maintain all HIPAA-related documentation for six years.
Failure to Notify Patients of a Breach
Under HIPAA, covered entities are required to notify patients if their PHI has been subject to a breach. A breach is defined as an unauthorized use or disclosure of PHI that compromises its privacy or security.
How can Sprinto help you with HIPAA Compliance Audit?
Ensuring compliance with HIPAA regulations can be a daunting task for any business associate. While your BAA would spell out the extent of your responsibilities, you must be ever vigilant and comply with HIPAA.
Sprinto is built to help cloud-hosted business associates get HIPAA compliant in an easy and effortless way. From editable policy templates to integrated risk assessments with in-app suggestions on the required safeguards for the identified risks, Sprinto’s compliance automation software packs a punch. The platform also offers HIPAA training modules for your employees, and updates the modules to reflect the most recent changes to the law.
Sprinto’s documentation trail with evidence collection and continuous real-time monitoring of your compliance posture sets you up to bring your compliance A-game every day.
Schedule a free demo to see how Sprinto can help you get HIPAA compliant and stay compliant.
Why is HIPAA audit important?
HIPAA audit is important because it’s triggered either randomly by the OCR or due to a complaint filed by an employee, individual, or a related party. Either way, it puts the OCR’s focus on your organization’s HIPAA compliant status, and failing to demonstrate compliance or ‘good faith’ efforts to comply can risk massive penalties, and even jail time.
How do you do a HIPAA compliance audit?
It is the OCR that conducts HIPAA compliance audits. However, you can perform an internal audit to ensure that your organization follows all necessary protocols to protect patients’ PHI.
Nothing, however, compares to the scrutiny of an actual OCR audit. These audits, which often come as a surprise, leave no stone unturned in evaluating all your policies and procedures. So, don’t get caught off guard. Proactively conduct your internal audits and stay prepared when the OCR comes knocking.
How often is a HIPAA audit conducted?
OCR conducts the HIPAA audit annually; but companies are either chosen randomly or following complaints. The Health Information Technology for Economic and Clinical Health (HITECH) Act necessitates that the HHS regularly audit covered entities or business associates to ensure they comply with the HIPAA rules.
Remember that you can audit internally or hire an auditor to review your current procedures and policies related to safeguarding information before the OCR audit.
Who can perform a HIPAA audit?
HIPAA audits are conducted by the OCR. OCR is a division of the HHS responsible for enforcing HIPAA’s Privacy, Security, and Breach Notification Rules.