HIPAA Audits: A Preparation ChecklistSelf-Assessment, Documentation and Other Key Steps
"This is just another opportunity for covered entities to take a moment from their busy, busy days and do a self-assessment," says Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Service's Office for Civil Rights, which oversees the audit program. "We think that this will help them down the road in terms of building their own capacity for a robust compliance program, training of individuals and making sure that there is awareness throughout the entity of their security and privacy rules and responsibilities."
The upcoming audits also are a good opportunity to "review policies and procedures to make sure that they are complete and up-to-date," she stresses.
The HHS Office for Civil Rights has entered a contract with KPMG to conduct about 150 HIPAA privacy and security rule compliance audits by the end of 2012. The audit program was mandated by the HITECH Act.
Self-Audits EssentialConducting a self-audit on privacy and security issues and creating a plan for remediating risks are essential steps, says Cliff Baker, CEO of Meditology Services, which advises organizations on privacy and security compliance issues.
"It puts an organization in a much stronger position for it to be discussing timelines and priorities for remediation versus being surprised by the auditors' findings ... and being in a reactionary mode," Baker stresses. He advises organizations to "have a plan in place for remediation, even if over a multi-year period."
To help back up their privacy and security strategies, healthcare organizations should be able to cite a "reference base" for their decisions, Baker adds. "You don't want this to be a debate between the experience of your security and privacy people and that of the auditors. It's a much stronger position to make sure that you're grounded in some reference source."
Good reference sources, Baker says, include the Health Information Trust Alliance's Common Security Framework, the SANS Institute's list of key exposure areas, or the National Institute of Standards and Technology's security standards.
Baker also notes that it's fair game to "ask auditors to defend their findings" by asking tough questions about the reference sources they used.
HIPAA in the TrenchesA key component of a self-audit is doing a walk-though to check how well policies and procedures are being carried out throughout the organization, says Adam Greene. Now a partner at the Washington law firm Davis Wright Tremaine LLP, Greene formerly was a senior official at the Office for Civil Rights, where he helped enforce the HIPAA privacy and security rules.
"There are a lot of policies and procedures that look really good on paper, but in the reality of a complex and busy environment, they just don't work in practice really well," Greene says. "And that's not something that you're going to be able to find sitting in the office of the privacy officer. ... You have to go down to the staff, look around and see what's working and what's not. ... If you don't do it, the auditors will. So you want to have a fresh set of eyes looking at this before they come."
DocumentationAnother important audit preparation step is to make sure all necessary privacy and security documentation is readily available and up to date.
Auditors will ask to see a risk analysis, as mandated by HIPAA, and a risk management strategy, Greene notes. "They'll want to have clear documentation that you have looked at the risks that are specific to your organization and that you have managed those risks," he says.
Baker says auditors also will ask for current policies and procedures, plus other documents, including: the results of any prior audits; an organizational chart for security functions; a technology inventory that helps describe where patient information is stored and describes the security tools used; business associate agreements; and an incident response plan. They may even ask for user access lists, system configurations and training materials, he notes.
Security IncidentsHIPAA compliance auditors, Baker says, likely will ask if an organization has experienced an information breach or other security incident.
"The right answer is not 'no.' They would typically expect that you have had incidents, and they'll want to know what you've done to handle those incidents," he says.
Auditors also will ask detailed questions about the business associates with which the organization shares data, and how those vendors are protecting the information, he adds.
Proof of HIPAA TrainingIn addition to documenting a comprehensive HIPAA compliance training program, healthcare organizations must be prepared to provide evidence that specific members of the workforce have actually received that training, Greene says. "If you have a training module, but have no way of demonstrating that people have actually been trained, it would be helpful to collect that documentation."
Organizations should update their training as new issues arise, Greene notes. "If you've had five incidents related to improper disposal of protected health information, but your training does not in any way touch on how protected health information should be disposed of, that's ... a critical vulnerability."
The training should make it clear that there are tough sanctions for violating privacy and security policies, Greene adds. "Your compliance program won't be very effective if people don't feel that there are consequences for violating it."
Demonstrate Security ControlsMac McMillan, CEO of the consultancy CynergisTek, advises organizations to be ready to demonstrate that security controls are actually working (see: Top 10 Tips for HIPAA Audit Prep). For example, if an auditor says, "I want to see how you handle access control," the organization must be able to describe the process in great detail, McMillan says.
"Demonstrating controls is about building confidence that you have a security program and you know what you're doing and can show the results of what you are doing," he adds.
MacMillan also encourages hospitals, clinics and others to "embrace the audit" and help the audit team understand the organization. "The fact that an auditor may have audited other healthcare organizations does not equate to knowing your unique environment or having an immediate appreciation for how you manage risk," McMillan stresses. "So be prepared to start the audit off with an orientation to your organization and your security program."
He stresses: "An auditor can come to the wrong conclusion if he doesn't truly understand what you are doing."