Are You Ready for a HIPAA Audit?

The Office for Civil Rights (OCR) recently announced that they will resume HIPAA compliance audits in 2024. The most recent OCR audits were back in 2016-2017, indicating the unlikelihood of many healthcare organizations today being fully ship-shape with HIPAA rules and regulations. The evidence suggests that many organizations will struggle to demonstrate compliance with HIPAA, given the notable uptick in breaches in the healthcare sector.  

The focus for this round of audits is reported to be on the Security Rule. Let’s break down what this means for your organization and provide you with a prescription for getting your healthcare entity audit ready.

What to Expect in a Security Rule Audit?

Let’s first celebrate that if the Office for Civil Rights is going to focus on compliance with the Security Rule, this makes audit preparation relatively easier. Past audits covered the Administrative, Privacy, and Security Rule, and thus were much more challenging to prepare for. While we advocate that every healthcare entity is in full compliance with all HIPAA regulations, we all know that we have to prioritize our limited resources towards known audit risks. The OCR is doing us a big favor by making it clear what they intend to focus on.  

A quick disclaimer: we expect some variability in the audit scope for different entities, but if you are curious about the core guidance that the OCR uses for their audits, they do publish that information on the HHS.gov website.

It’s a big document, so here’s our expert guidance on what to focus on:  

1. Security Officer‍

Someone in your organization needs to be the official point of contact and responsible party for your organization’s security posture. An auditor is going to want to see a job description for this role, and clear evidence that this individual has been acting in this capacity once the role was assigned to them.

Bonus points if you have also identified a Privacy Officer and a Compliance Officer, as these roles are all important to define and maintain with the continuity of someone in each role at all times.  

2. Risk Assessment

Every entity taking security and privacy seriously should conduct regular risk assessments. These should be rigorous, well-documented, and demonstrate that key stakeholders grappled with various risks, measured their likelihood and impact on the organization should they occur, and created a risk mitigation plan.  

Bonus points if you built a Risk Register to track your activities related to risk mitigation.

3. Asset Inventory

Ideally, you have 3 distinct inventories you can readily share with an auditor upon request, as well as periodically review with your internal team to assess your security posture. These three asset inventories are for your (1) hardware (workstations, servers, modalities, and anything on your network that stores or transmits Protected Health Information (PHI)), (2) software (installed applications, web portals, and Software-as-a-Service tools that are involved in the storage or transmission of PHI), and (3) data (specifically PHI data repositories).  

Bonus points for accounting for any and all data storage repositories both in your organization and in your cloud portals. In our experience working with healthcare entities, it’s best to assume that all data you have contains PHI since it’s far too common to find an errant copy, or a poorly de-identified document lands where you least expect it. We encourage our customers to have a “assume the data is sensitive” mindset for all data stored on their systems.

4. Vendor Inventory

Make sure you have a list of all the 3^rd party companies you work with, and identify which ones have some potential or known exposure to PHI. Make sure you have counter-signed Business Associate Agreements (BAA) on file for each of those vendors. Ideally, you should have a current and valid point of contact at each of these vendors identified in your inventory list.

Bonus points if you can prove that each vendor has signed the most recent version of your BAA. We often find that longstanding vendors signed an older version of a BAA, sometimes one that doesn’t even mention the HITECH act (meaning it was likely signed before 2009!).

5. Plans and Procedures

This is where your IT department and IT vendors get a chance to shine! Make sure that you have current documentation available for defining your secure operating procedures, as well as handling emergencies with contingency plans and security incident procedures. If your IT staff have no idea where to begin or they lack the resources to create or maintain these essential procedures, we do recommend consulting with HIPAA experts to establish the core procedures you will need. Also, sometimes an IT team just needs a great starting point like this fantastic free set of HIPAA policies available here, free to use and with clear instructions on how to readily adapt them for your organization.  

Bonus points if you can demonstrate that these plans were reviewed and tested within the last 12 months. Make sure that an auditor can see that these are actively used and validated documents.  

6. Staff Training

Our people can represent our best security asset, so long as they get the training they need. The OCR will specifically be looking for evidence of regular staff training on topics like the correct procedures for handling electronic PHI, passwords, and secure communications. These do not have to be separate trainings, but ideally there are tools implemented in your organization that focus on Security Awareness Training. These purpose-built tools are excellent not only for logging compliance with training requirements, but also for regularly simulating social engineering attacks to validate that the training was absorbed by your staff.

Bonus points if you can compile all training activities into a log that can be tracked by your HR department, proving that all individuals got standardized training on a regular basis.

There are so many terrific resources available now to healthcare organizations to help them build and maintain a HIPAA-compliant posture. Additionally, while the OCR does have the ability to assess hefty fines for non-compliance, our experience working with the OCR is that they prefer to work collaboratively with healthcare entities to improve their security posture in a constructive manner.

We have only observed that they assess penalties when a healthcare entity is grossly negligent or takes a non-cooperative approach to the audit. The mutual goal we all should share is that we have a sacred duty to all patients to protect their privacy and secure their information by consistently implementing best practices. We also know that disruptions to our services brought about by cybersecurity incidents put patient’s lives and health at risk, and great effort should be put forth to mitigate the risk of a cybersecurity attack or incident.

For all those reading this, we encourage you to touch base with your IT vendor or teams to make sure they feel confident to respond effectively to an OCR audit focused on your compliance with the Security Rule. If you don’t get a satisfactory assurance, please reach out to Net Friends today so we can share our extensive experience and guidance with HIPAA compliance with your team before you get that “This is an automated communication from the Office for Civil Rights (OCR).” Letter. When that letter arrives, if it’s anything like last time, you have 14 days to respond and your audit begins shortly thereafter. The time to prepare is now!

‍

WHAT TO READ NEXT:
- How We Became HIPAA Experts
- How An MSP Helps You Prep for HIPAA Audits
- How to Minimize Business Risks with a SOC 2 Compliant IT Company