The Health Information Technology for Economic and Clinical Health (HITECH) Act made it important for healthcare organizations and other covered entities to develop a HIPAA audit checklist. The purpose of a HIPAA audit checklist is to list all elements of HIPAA Rules and compare this to the policies, procedures, and controls that have been implemented as part of the organization’s compliance efforts to ensure that no gaps exist.
The amendments to HIPAA mandated by the HITECH Act were introduced, in part, due to a lack of commitment to HIPAA compliance at many healthcare organizations and the increasing number of ePHI breaches that had occurred as a result. The rising number of breaches has been attributed to the growing use of technology in healthcare, especially mobile devices. The HITECH Act increased the penalties for noncompliance considerably. The Omnibus Final Rule of 2013 also required business associates to comply with HIPAA Rules or face fines for noncompliance.
The HHS is the main enforcer of HIPAA compliance and investigates data breaches to determine whether the breach was caused by a HIPAA violation. The HHS’ Office for Civil Rights (OCR) is also required to conduct compliance audits on covered entities and business associates as part of its role as HIPAA enforcer. Recently, OCR has released its audit protocol for the second phase of its compliance audit program.
Although it is not a “required” or “addressable” requirement for a HIPAA audit checklist to be created and used, it makes sense due to the number of data breaches that are now occurring and the very real possibility that a covered entity or business associate may be selected for a compliance audit. A checklist will help to ensure that everything is in order, documents supporting compliance efforts can easily be produced, and covered entities and business associates will be able to prove that they have made good faith efforts to comply with HIPAA Rules in the event of a breach investigation or compliance audit.
In February 2014, OCR revealed its plan to survey 1,200 HIPAA-covered entities – 800 covered entities and 400 business associates – as the initial step in choosing entities for a HIPAA compliance audit. OCR plans to collate recent data about patient appointments, how ePHI is sent electronically, revenues, and business locations in order to assess the “size, complexity and fitness of a respondent for an audit”.
Being chosen to take part in the survey does not necessarily mean that a covered entity will have to get prepared for a HIPAA audit. However, it is important for all covered entities to be aware of the audit protocol. In the previous round of compliance assessments, OCR found most of the covered entities that were audited did not meet the necessary requirements in the areas of security, privacy, and breach notification. This was supposedly due to covered entities being “unaware of the requirements” – something that a HIPAA audit checklist would eliminate.
The chance of being selected for the OCR survey and having to get ready for a HIPAA audit is small. There are more than 700,000 healthcare organizations that could be chosen for a compliance audit and around 2-3 million Business Associates that now fall under the remit of the HIPAA regulations. Regardless, it is in every covered entity’s best interests to ensure that they are HIPAA compliant.
A good place to start preparations for a HIPAA audit is to conduct a risk analysis. Any risks to the confidentiality, integrity, and availability of PHI that are identified must be subjected to a risk management process and should be reduced to a reasonable and acceptable level. The risk analysis and risk management requirements of the HIPAA Security Rule were two of the most common areas for violations when OCR conducted its last set of compliance audits in 2011/2012.
A HIPAA audit checklist should be based on HIPAA requirements and the HHS Audit protocol. It should contain all aspects of HIPAA Rules that could potentially be assessed by OCR during its ‘desk audits’ and full compliance audits that will follow. Each element on the checklist will need to be assessed against policies and procedures and privacy and security controls that have been implemented. The result should be a list of areas where compliance needs to be improved and documents that are missing and need to be found or (re)created.
While it is important to focus on policies, procedures and controls to protect patient privacy, prevent unauthorized disclosures of PHI, and ensure the security of health data, it is important to also assess policies and procedures covering patient rights under HIPAA. This is an area of focus for OCR in the upcoming audits.
Preparing for a HIPAA audit will help Covered Entities and Business Associates find risks and vulnerabilities and aspects of HIPAA requirements that have been missed or misinterpreted.
A HIPAA audit checklist is the ideal tool to find any risks or flaws in your healthcare organization that could potentially be exploited. It is in your best interests to create and use a HIPAA audit checklist and carry out an internal audit. It will be far better to find gaps in your compliance program and take steps to correct them than have OCR uncover them and be placed at risk of a compliance penalty. If you proactively find and address noncompliance, OCR is far more likely to waive a financial penalty.