The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. And it guards private data against cyber-attackers. HIPAA sets strict standards for healthcare providers and insurers. When organizations fail to meet those standards, HIPAA audits result.
HIPAA audits are a fact of life for organizations that handle Protected Health Information (PHI). And preparing for audit processes is crucial. This article will explain what HIPAA audits are and provide practical guidance about how to prepare.
What is a HIPAA audit?
HIPAA audits are assessments of HIPAA compliance by the Office for Civil Rights (OCR). A HIPAA audit investigates whether covered entities and Business Associates follow HIPAA regulations. The audit may confirm that an organization is non-compliant. OCR will then administer financial penalties or recommend corrective measures.
OCR audits fall under the HIPAA Enforcement Rule. This rule sets out penalties for HIPAA violations. It also defines the difference between criminal and civil violations. The Department of Justice handles criminal cases. OCR audits apply to civil violations.
Covered entities may also schedule internal or third-party HIPAA audits. These exercises are valuable and contribute to enhanced compliance. They are not official procedures. Nonetheless, covered entities and associates should regularly audit their HIPAA policies.
Internal auditing helps organizations prepare for OCR audits. And it generally strengthens compliance throughout healthcare businesses.
Why are HIPAA Compliance audits needed?
HIPAA audits serve an important purpose in the regulatory environment.
From a regulatory perspective, audits gather information about covered entities. OCR then uses this knowledge to make informed decisions. Regulators can decide whether regulatory violations occurred. They can assess the severity of violations. And they can levy appropriate penalties.
Without HIPAA audit processes, the regulatory system would be opaque. It might also result in unfair outcomes for regulated entities. Auditing also balances economic and clinical health concerns. It exposes negligent healthcare organizations. However, it allows responsible organizations to show they have taken action to remedy violations.
Regular self-audits are also valuable for healthcare providers and insurers. Compliance audits examine internal policies. They identify areas where improvement is needed. And they assess critical issues like PHI protection or providing access to patient records.
Audits also protect patients. They encourage covered entities to put in place robust security and privacy measures. And they guard private health information against cyber-attackers or insider threats. Solid auditing ensures that clinical health data remains confidential.
These benefits make it essential to execute regular HIPAA compliance audits. All covered entities and Business Associates should audit their compliance posture. Preparing for OCR audits should be a compliance management priority.
What causes a HIPAA audit?
OCR decides whether to launch a HIPAA audit. Various factors can trigger this decision. Knowing these causes matters. It allows organizations to detect regulatory risks before they become critical.
The three core triggers for a HIPAA audit are breach reports, complaints, and historical non-compliance.
Breach reports
Under the Breach Notification Rule, HIPAA-covered entities must report ePHI or PHI exposure to the OCR. Not every breach results in an OCR audit. Regulators assess:
- The organization’s history of compliance or non-compliance
- How long the breach exposed private health data
- How many patient records were exposed
- Whether the organization has taken action to fix compliance problems
HIPAA audits result when organizations have been negligent or failed to remedy regulatory failings. Triggers for an OCR audit include:
- Disclosure of PHI. Employees may disclose PHI accidentally due to poor training. Malicious staff members may steal health data for personal use. In all cases, regulatory violations compromise patient data. Audits will usually result if organizations do not fix these problems.
- Weak security controls. Organizations not following the HIPAA Security Rule may expose PHI to external attackers. Poor physical security measures may allow access to filing cabinets and electronic devices.
- Incorrect PHI disposal. Covered entities must dispose of medical records safely. If regulators detect many examples of improper PHI destruction, they may launch audit processes.
- Breach notification failures. Failure to follow the Breach Notification Rule regularly leads to HIPAA audits.
Audits occur when OCR believes that covered entities or Business Associates are non-compliant. Regulators detect a public interest in assessing regulatory compliance. But they do not act without reasonable suspicion.
Complaints
OCR also launches HIPAA audits following complaints or confidential information. Audit triggers could include:
- Failure to allow the Right of access. Under the Privacy Rule, healthcare organizations must provide patients access to their electronic Protected Health Information.
- Lack of patient authorization. Patients may also complain about unauthorized use of PHI. For example, providers may use patient data in marketing campaigns without the individual’s consent.
- Whistleblowing. Internal or third-party whistle-blowers can also prompt HIPAA audits. In these cases, individuals may know about unreported HIPAA violations. Covered entities may ask associates to violate HIPAA marketing rules. Or managers may allow employees to mishandle health information.
Historical non-compliance
HIPAA audits are more likely if organizations that have violated healthcare regulations before. OCR often schedules follow-up exercises. These audits check that organizations are following Corrective Action Plans (CAPs). And they can levy extra fines if organizations are not HIPAA compliant.
When and who performs HIPAA audits?
OCR carries out official HIPAA audits following one or more of the triggers discussed above. Regulators apply an audit program protocol that sets out the structure of all official investigations.
This audit program applies to all HIPAA-regulated entities. The audit process takes the following form:
- Regulators send a questionnaire to the entity involved. This pre-audit document requests information about the organization. Information requested includes the organization’s size and type of operations. A list of Business Associates is also necessary.
- OCR also sends a notification letter (or email) to the entity under investigation. This letter formally starts the HIPAA audit process.
- Regulators introduce and despatch an audit team. The team will work on-site and remotely to assess compliance.
- During the audit process, regulators generally request extensive documentation. Covered entities send this information to OCR via a secure portal. This portal serves as the main point of contact during the process.
- Auditors write draft reports about their findings. But these are not final. Organizations can respond to draft documents and make representations before the audit concludes. OCR will include these representations in the final audit report.
Compliance Officers and Privacy Officers carry out internal HIPAA audits. Alternatively, organizations may hire third-party auditors to assess their policies and procedures. A compliance best practice is to schedule annual audits. Annual audits need separate assessments regarding the Privacy, Security, and Breach Notification rules.
Who needs to conduct HIPAA compliance audits?
HIPAA compliance audits involve organizations that handle or store Protected Health Information. PHI is legally defined by HIPAA regulations, and knowing what constitutes PHI is a regulatory must.
HIPAA-covered entities and business associates should carry out annual internal compliance audits. And if resources are available, organizations should design real-time auditing systems. Enhanced auditing detects regulatory problems at an early stage. It also helps organizations prepare for OCR audits.
Covered entities should also schedule a HIPAA compliance review when their internal systems change. For instance, auditing should follow the installation of a new enterprise-wide IT system. Similar changes could include cloud data migrations or corporate mergers.
How to prepare for a HIPAA compliance audit?
Healthcare organizations should prepare for HIPAA audits by carrying out self-assessments. Self-assessments identify compliance weaknesses. They gather information about how the organization stores and handles PHI. And they organize the documentation needed to make the official audit process smoother.
The result is a HIPAA compliance plan that makes dealing with an OCR audit easier.
The first step in preparing for a HIPAA compliance audit is understanding what audits involve. Components of a typical compliance audit include:
- Administrative controls. How the organization manages PHI security. Includes policy documentation, incident response plans, and employee training.
- Privacy safeguards. Whether the organization complies with the HIPAA Privacy Rule.
- Security controls. Whether the organization follows Security Rule requirements. Includes technical safeguards and physical measures.
- Breach notification. How well the organization responds to incidents. Includes notification, threat mitigation, and incident logging.
- Business associate management. Ensuring Business Associate Agreements require HIPAA-compliant partners.
Organizations must be clear about the scope of the audit. After that, audit preparation tends to unfold as follows:
1. Appoint a Security and Privacy Officer
If you do not already have one, assign an individual to manage HIPAA compliance. This officer will oversee the HIPAA compliance audit. They will liaise with the Department for Health and Human Services. And they will handle day-to-day compliance management.
The responsible officer should have support from the IT team security officer. And they need executive backing to make any necessary changes.
2. Carry out a HIPAA risk assessment
Healthcare organizations must carry out a risk assessment of their compliance risks. Assessors need to understand whether the organization protects PHI according to HIPAA standards. Critical parts of the risk assessment include:
- Data theft. Is PHI at risk of physical or digital theft? Issues include securing physical spaces and both on-site and remote devices.
- Illegitimate access. PHI should only be accessible to authorized individuals. Auditors should assess whether access controls represent a risk of exposure.
- Accidental exposure. Inadvertent PHI disclosure can result in significant fines. Risk assessors should show they have identified potential risks. For example, exposure can occur by placing workstations in public areas.
- External events. Natural disasters and other adverse events pose a regulatory risk and can compromise PHI.
Risk assessments should also investigate Privacy Rule breaches relating to access. For example, employees denying patient requests to access their data would be a critical risk.
Consent issues are also important. A relevant risk could be healthcare professionals supplying private data to marketing partners.
3. Mitigate critical risks
The security officer should connect critical risks to mitigation measures. These measures ensure that policies and controls meet HIPAA standards. And OCR auditors will expect to see proactive measures following complaints or breaches. Relevant actions include:
- Access controls. Ensure that access controls cover all employees and associates with access to PHI. Fix physical access issues such as non-functional locks or exposed data servers. Install technical access controls such as multi-factor authentication (MFA). Control access with privileged access management (PAM).
- Encryption. All identified ePHI should be encrypted. Encryption applies to data resting on internal devices and data in transit. Make sure remote devices feature external data removal systems. These systems should erase PHI in the event of device theft.
- Policy development. Ensure that privacy and security policies reflect HIPAA requirements. Check that privacy notifications for patients meet regulatory standards. Schedule employee training to verify staff knowledge.
- Disaster recovery. Store critical data in secure backup centers. Test disaster recovery processes with the collaboration of third-party experts.
4. Audit administrative controls
HIPAA compliance audits must review policies and procedures. Internal policies should prove to OCR that the organization understands its HIPAA requirements. And they should document the measures in place to achieve compliance. Critical policies to review include:
- Security controls for PHI. The Security Policy should document how the organization protects ePHI and PHI. This document should list security controls such as firewalls and encryption. It should describe access systems and privilege levels.
- Handling PHI. Policies must explain how employees should access and use PHI. For example, the policy should cover information-sharing with relatives or third-party clinicians. It should also document practices to store and dispose of PHI securely.
5. Carry out physical compliance assessments
Physical security is a HIPAA compliance concern. Compliance officers should prepare for audits by assessing workspaces and public areas. Robust controls should protect devices that store Protected Health Information. Screen placement should cut exposure to unauthorized individuals.
Waste disposal can also be a potential violation. For instance, organizations may fail to shred health documents to remove identifiable data.
6. Manage Business Associate Agreements
OCR audits will look at how covered entities manage relationships with Business Associates. Under the Omnibus Rule, regulated organizations must sign Associate Agreements with compliant partners. Violations by associates can result in penalties for covered entities.
Organizations should prepare for audits by checking all Business Associate Agreements. BAAs should include requirements about handling and storing PHI. And they should explain who is liable for HIPAA violations.
7. Train your employees
Many HIPAA breaches involve PHI disclosure due to inadequate training. Assessing staff knowledge should be a central part of audit preparation.
Compliance officers should schedule extra training to coincide with internal audits. Annual retraining should update workforce awareness as HIPAA rules change. Focus on Privacy Rule training to ensure that employees know their obligations. And check staff compliance continuously.
Challenges faced during the preparation for a HIPAA audit
HIPAA compliance audits are not always hassle-free. Organizations typically face many challenges. Common obstacles include:
- Identifying and classifying PHI. Audits must locate all stored health data. This includes on-premises devices, remote devices, and paper records. PHI assessments can be challenging in larger organizations. Mapping PHI in companies reliant on dispersed remote workforces is also difficult.
- Aligning documentation with regulations. HIPAA rules are complex. And internal policies must meet regulatory requirements. Aligning policies with regulations requires time-consuming and detailed work.
- Requesting third-party information. HIPAA requires covered entities to use compliant associates. Business associates may fail to supply the information needed. Verifying that associates follow regulations is difficult without full cooperation.
- Training employees. Complying with the Privacy Rule requires a skilled and knowledgeable workforce. Checking that workers understand their responsibilities is not easy.
- Putting in place security controls. Encrypting PHI and protecting internal networks is essential. Applying encryption can be technically challenging for smaller entities. And updating health information technology can be extremely expensive.
Frequently asked questions
How often should you conduct HIPAA audits?
HHS recommends that covered entities carry out annual self-assessments. Core audit areas include security controls, security risks, documentation, physical security, and privacy rule compliance.
Organizations do not have to carry out audits every year. OCR may subsequently audit the organization and find that self-assessments are absent. The lack of self-audits will count against the entity when OCR calculates a compliance penalty.
How much does a HIPAA audit cost?
The cost of a HIPAA compliance audit varies. Audit costs will be higher for larger organizations with more complex PHI handling systems. The cost of an initial audit is usually higher than later assessments. After the first audit, organizations generally invest in security technology and workforce training.
A rough estimate for third-party HIPAA audit costs is between $20,000 and $50,000. But there are also indirect costs. For example, the organization may divert internal employees from other projects to support the audit team. Mitigation measures will come with a price tag as well.
The OCR does not levy an audit fee. There may be indirect costs here as well. Organizations may bring in external consultants or move existing staff to compliance roles.
How long does it take to complete a HIPAA audit?
The length of an OCR HIPAA audit depends on the scope of the audit process. Audits for covered entities involve every aspect of HIPAA compliance. They will take longer than business associate audits that do not need in-depth privacy audits.
The size of the organization matters as well. Auditors may have to deal with many workplaces and external partners. Audits commonly take between 6 weeks and four months. There is no pre-determined timescale.
Prepare for compliance audits with robust self-assessments
Healthcare organizations should not fear OCR audits. The process seeks to improve HIPAA compliance, not to impose fines. Even so, avoiding regulatory audits is still desirable. Cut the risk of OCR audits by scheduling annual self-audits or bringing in third-party experts. Well-prepared organizations will be ready to handle audits. And they may avoid them entirely.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.