Preparing For HIPAA AuditsExpert Offers Timely Tips
The Department of Health and Human Services' Office for Civil Rights plans to launch one or more pilots of HIPAA auditing methods later this year. It remains unclear when the formal HIPAA audit program, which was mandated under the HITECH Act, will begin. Nevertheless, Patrick stresses that healthcare organizations and their business associates should be preparing now.
In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, following her presentation at the National HIPAA Summit, Patrick:
- Stresses that an annual self-audit should look at every aspect of HIPAA compliance, including: who has access to patient information, what physical security measures are in place and whether a comprehensive risk assessment needs updating.
- Advises organizations to make sure they have all necessary technical controls in place to support a comprehensive security program, and not just HIPAA compliance.
- Notes that organizations should make sure that all their HIPAA compliance steps are well-documented because auditors will ask for documentation.
- Suggests that those with limited budgets should at least conduct a narrow audit of records access, based on a sampling of users; implement encryption for high-risk devices, such as laptops; and make sure staff members are trained on privacy and security policies and procedures.
Patrick is president of Phyllis Patrick & Associates, which provides security, privacy and compliance advisory services to the health care industry. She formerly worked at several healthcare organizations, most recently as compliance and privacy officer at Greenwich Hospital. Among her many other roles, she was the first information security officer at Mount Sinai Medical Center.
Patrick is a member of the board of examiners for the Malcolm Baldridge National Quality Program and has served as an examiner since 2007. She is certified in health care administration, FACHE, and health care compliance, CHC.
In a previous interview, Patrick described the advice in a privacy and security white paper (See: Creating EHR Privacy, Security Strategies).
HOWARD ANDERSON: The HITECH Act mandated that federal officials create a HIPAA compliance audit program, but that program has yet to begin and it's not clear exactly when it will. Those audits will cover both the HIPAA privacy and security rules, right?
PHYLLIS PATRICK: That's correct. As is stated in the section of the regulation, it is meant to cover both privacy and security to ensure that ... the covered entity or business associate is utilizing proper controls ...
HIPAA Audit DetailsANDERSON: The Office for Civil Rights will be overseeing the audit program. Have they given any clues as to how they might go about choosing who to be audited or how many will be audited?
PATRICK: ... My recent conversations with OCR officials indicate that they're looking at a variety of methods for how to select auditees. What I have been told is everything is still on the table, so it's not clear if they would select by size of organization, type of organization or how many they might do. My understanding is they'll do a pilot initially, and what types of organizations they select for that is still to be announced.
Value of Self-Audits
ANDERSON: Should healthcare organizations be doing a self-audit to prepare for these eventual federal audits?
PATRICK: Most certainly, self-auditing should be a part of the ongoing security and privacy program of any institution. As you do your risk assessments, as you evaluate your policies and procedures ... certain things will come out that perhaps will lead to looking at areas of risk. I would strongly advise having an audit done every year. ... You may want to do some physical audits of ... buildings, including remote sites, to make sure that people are following the physical safeguards in the HIPAA security rule. You may want to look to see how the notice of privacy practices is distributed and discussed with patients.
There are a number of areas that can be audited. People think of auditing .... as focusing on [issues like] who gets access to information and how you deal with a breach. ... But that's only one aspect of auditing. ...
HIPAA Audit Prep ChecklistANDERSON: Can you highlight a few other things that should be on a checklist of steps to take in preparation for an eventual HIPAA compliance audit?
PATRICK: Key steps are making sure that the technical controls are in place ... looking at the program as an entire entity as opposed to what do we need to do for the HIPAA security rule and having a concise document that explains what the privacy and security program are all about but also draws from all of the various other regulations that healthcare entities are subject to, such as PCI. ...
ANDERSON: How important is documenting all the steps that you've taken?
Audits, Encryption, TrainingANDERSON: Finally if you had a limited budget and you can only focus on one or two things, what should you focus on in preparing for a HIPAA compliance audit?
PATRICK: If I could only focus on one or two things I would really look at auditing access to records ... perhaps auditing a sampling on a periodic basis. ... In the case of an entity that has an internal audit department, that's an excellent way to marry the responsibilities and the goals of the departments and to get others involved and to leverage those resources.
ANDERSON: What about the importance of making widespread use of encryption and training your folks in the policies and development. Could those ultimately pay off come audit time?
PATRICK: If I had a limited budget, those would be my two goals for this year and next year: To encrypt ... at least start the process and look for those high-risk devices first; perhaps it's the laptops, the PDAs. Training and training can be developed internally leveraging other departments ... But make it fresh, making it interesting, engage people. ...