HIPAA Compliance Audits Documentation: Hungry Hungry HIPAA

Written by
Published 01/17/2018
Understanding the HiTrust Certification Process

HIPAA compliance audits consist of a never-ending cycle of risk, compliance, and monitoring. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule provides not only that you are compliant but that your vendors meet compliance standards as well. HIPAA compliance audits chomp away at your employees’ time just as the Hungry Hungry Hippos in the childhood game devour marbles.

Just as winning a game of Hungry Hungry Hippos means being the fastest player, winning at hungry hungry HIPAA means saving time and corporate resources.

What is HIPAA?

HIPAA was enacted in 1996 to protect information as people moved from one job to another. The US Department of Health and Human Services (HHS) additionally enacted the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”  

In 2005, the HIPAA Security Rule focused on electronically stored PHI (ePHI). This created three types of compliance safeguards. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.

Why is HIPAA Compliance Important?

Many companies initially assumed that HIPAA was merely a suggestion, so HHS created the Enforcement Rule. This was the first foray into imposing civil money penalties for HIPAA violations.The Enforcement Rule was reinforced by the 2009 HITECH Act, which created four violation categories and four corresponding tiers of penalty with minimums and maximums for violations. Penalties range from $10,000 per violation to $50,000 per violation based on tiered structure. The Office for Civil Rights (OCR) enforces the Privacy and Security Rules by investigating complaints, conducting compliance reviews, and performing education and outreach to help organizations comply.

In the first six months of 2017, 1,996 breaches impacted over 5.5 million individuals. While laptop theft was the biggest reason for these breaches, the greatest vulnerability came from hacking or IT incidents.

What Can I Do To Get Compliant?

Risk assessments are your first step to HIPAA compliance. The risk assessment helps determine the locations of greatest vulnerability. As a first step to HIPAA compliance, go to the Security Risk Assessment Tool created by the Office of the National Coordinator for Health Information Technology. Answering the 156 questions can help you identify your biggest risks.

The Security Risk Assessment (SRA) Tool is a useful but time-consuming first step. Since the insights are stored on Excel spreadsheets, the tool makes it more difficult to scale your business. Spreadsheets can be useful for initial compliance tasks but rapidly become overwhelming. The marbles in Hungry Hungry Hippos quickly become scattered and chaotic in the same way compliance documentation does when done on spreadsheets. Sharing across spreadsheets can leave information stranded between stakeholders.

What Documentation Supports HIPAA Compliance Audits?

Under the Phase 2 HIPAA Audit Program, covered entities as well as their business associates must prove documentation through policies and procedures. According to the OCR HIPAA audits procedure, the examination includes a review of standards and implementation specifications for the Privacy, Security, and Breach Notification Rules.

Privacy Rule Documentation

Your auditor will request copies of business associate contracts, business associate compliance assurances, patient confidentiality forms, confidential communications requests, disclosures, whistleblower policies, group healthcare documentation, procedures and policies for PHI use, patient authorization forms (including patient intake consent forms), a directory of people with access to the facility, as well as policies and procedures for protecting information in accordance with other laws. In addition, HIPAA compliance audits require documentation of record retention.

Security Rule Documentation

Security Rule audit documentation is the most important and also the most difficult to bring together in one place. HIPAA’s Security Rule requires organizations to show adherence to technical information systems standards. This is area where the Health Information Technology for Economic and Clinical Health (HITECH) Act overlaps with HIPAA.

Importance of Risk Assessment

HIPAA auditors consider the size of the business, technical infrastructure (hardware and software), costs of security measures, and the probability and criticality of each potential risk to PHI. For this reason, your auditor will require a risk assessment and review whether you thoroughly assess the potential risks and vulnerabilities to confidentiality for both PHI and ePHI. This risk assessment needs to show documentation of not only review but also reasonable and appropriate levels of risk mitigation.  

Physical Security

Physical security remains a large part of HIPAA compliance audits, requiring a review of physical locations in which information is stored as well as the people who have access to these locations. This review requires documentation of visitors’ access to facilities. Physical security also evaluates who accesses workstations and moves hardware/software that can contain ePHI.

Information System Security

To prove compliance with HIPAA’s Security Rule, you need to provide policies and procedures related to prevention, detection, containment, and correction of security violations. Moreover, your auditor will ask not only to review policies regarding employee sanctions but also whether any sanctions were handled within the boundaries of those procedures.

To prove compliance with your internal policies and procedures, your auditor will ask for information systems records including audit logs, access reports, and security incident tracking reports. The access reports need to document that each workforce member’s access to PHI is limited to only the information necessary to complete their jobs and procedures upon job termination. This means that your organization’s HIPAA compliance audit documentation must include clear definitions of the ePHI access that is appropriate for each job level.

You’ll need to provide documentation of encryption levels while showing when sessions time out due to inactivity. This will include screenshots as well as system settings to prove implementation of an automatic logoff. This also includes ensuring business associates and group health plan providers appropriately comply with HIPAA and HITECH ePHI requirements.

Finally, your auditor will request training logs to ensure your employees receive ongoing security awareness education.

Record Retention

Part of any audit is ensuring that companies retain information for the required six years. For HIPAA compliance audits, however, this retention can impact a patient’s healthcare. Therefore, you will be required to provide proof of retention and retrieval.

Disaster Recovery Protocols

The last step in the Security Rule review of HIPAA compliance audits segues into Breach Notification. Before clearing an organization under the Security Rule, auditors need to ensure that you have appropriate malicious software protection and documentation of monitoring, including login procedures, employees engaged in reviewing login attempts, and password guidelines.

Finally, your Security Rule audit will require documentation of your disaster plan recovery, including but not limited to data recovery, critical business process continuity, and testing of the plans.

Audit Documentation

HIPAA compliance audits require that documentation of policies and procedures is reviewed periodically. This can be internal as well as the required external audit.

Breach Notification Rule

You will be required not only to provide documentation of policies and procedures, but also to give your auditor copies of any complaints and dispositions of those complaints. This includes documentation of any sanctions against workforce members for failing to comply, as well as proof that your organization did not retaliate against those exercising their whistleblower rights.

Moreover, your organization will be required to give documentation proving that your risk assessments were completed in accordance with the law.

The Breach Rule requires notification of those impacted by a data event. Generally, the documentation required will be a list of all breaches involving 500 or more individuals and provide copies of the notifications, including those sent to the Secretary as well as everyone impacted by a data breach from a business associate. You will need to prove timeliness and appropriate language used.

How Automation Can Help You Win At Hungry Hungry HIPAA Compliance Audits

With the overwhelming amount of documentation required for a successful HIPAA compliance audit, preparing for one can feel chaotic. Anyone who ever played Hungry Hungry Hippos as a child remembers the frenetic experience of randomly pushing the levers, hoping to gobble up the most marbles to win.

The HHS Office of the Inspector General (OIG) offers a guideline that discusses all the parties involved in your compliance efforts, from your employees to your Board of Directors. Automation helps you better communicate across your organization’s various stakeholders, providing them with the right information for their needs.  

A HIPAA compliance audit is similar in that an audit management software that provides a single source of truth can help you save time. Saving time saves money because your employees can focus on securing your environment.

With an automation tool like ZenGRC, you can monitor your compliance while storing all your necessary documentation in one place.

ZenGRC’s compliance management software provides a risk dashboard that gives insight into the effectiveness of your ongoing monitoring so that you can meet internal audit standards.

To schedule a demo and become the hungriest HIPAA compliant organization, contact ZenGRC.


Categorized in: ,