Top 10 Tips for HIPAA Audit PrepAdvice from Security Expert Mac McMillan
That's the attitude he'd like to see healthcare organizations take as they prepare for potential HIPAA compliance audits.
The Department of Health and Human Services' Office for Civil Rights has announced plans to conduct about 150 HIPAA audits by the end of 2012 (see: McAndrew Explains HIPAA Audits.). The HITECH Act mandated the audit program.
Following are McMillan's top 10 tips for preparing for a HIPAA audit.
1. Make sure your organization has an up-to-date risk analysis for the entire enterprise.
"Information security auditors want to know the basis of your program and your controls and whether or not you've actually identified what the risks are in your environment," the consultant says. "They want to know if you have organized your security program around an appreciation of where those risks are."
McMillan suggests that the risk analysis should be based on recognized security standards, such as those from the National Institute of Standards and Technology, or the International Organization for Standardization's ISO 270002 standard or the Health Information Trust Alliance's common security framework.
2. Make sure policies and procedures are up-to-date and relevant. Then check to make sure you're actually carrying out those guidelines.
Healthcare organizations should conduct their own compliance audits to make sure everyone is adhering to spelled-out policies, McMillan says. For example, if all computers are supposed to have an automatic log-off function, check to make sure that's actually the case.
3. Be certain that individuals assigned security responsibilities are ready to articulate their practices and demonstrate compliance.
The best way to build faith among auditors, the consultant says, is if security staff members "sound like they know what they are doing."
4. Ensure that everyone involved in the incident response process understands their roles. And don't forget to document security incident responses.
"Auditors will ask for a list of your security incidents and how you handled them," McMillan says. For auditors, this is a valuable source of ideas for focusing their investigations, he adds.
The HITECH Act's breach notification rule requires organizations to assess the risk of harm involved in an incident to determine if it needs to be reported to authorities and individuals affected. So even if a hospital concludes that an incident poses no risk of harm, it still must have documentation of how the incident was assessed, McMillan warns.
Also be prepared to share an incident response plan and prove you have a database for tracking all incidents, he suggests.
5. Be ready to demonstrate that security controls are actually working.
For example, if an auditor says, "I want to see how you handle access control," the organization must be able to describe the process in great detail, McMillan says. "Demonstrating controls is about building confidence that you have a security program and you know what you're doing and can show the results of what you are doing."
6. Understand where all electronic protected health information is stored within the enterprise, and be prepared to describe how you monitor access to it.
Relatively few organizations have taken adequate steps to meet this basic HIPAA requirement, McMillan contends.
The consultant believes that as much as 60 percent of protected health information is not in major clinical applications, but rather shared files, spreadsheets, documents, databases or even on mobile devices.
The best-case scenario, McMillan believes, is to use data loss prevention technology to search all structured and unstructured data to pinpoint where all patient information resides, and then take steps to protect it.
7. Be prepared to explain why you're not following HIPAA guidelines that are "addressable," such as encrypting data at rest.
An addressable HIPAA guideline must be followed unless an organization demonstrates a reasonable and appropriate alternative approach.
For example, many organizations "fail to recognize that if they choose not to encrypt data at rest, they must have some other compensatory measure that accomplishes the same effect," McMillan says. One approach would be to explain that data on a server is not encrypted because it's in a data center with restricted access, the data center is segmented by an application-layer firewall "and the only way you can get to the information on the server directly is to physically break into the data center," the consultant says.
8. Make sure your documentation is organized and accessible.
"The easier it is to demonstrate compliance, the more confidence the auditor will have that there is real compliance," McMillan says. He advises organizations to create an online library of all HIPAA-related documentation, which can be easily updated. "Then you can show it to the auditor and say 'Here's everything you need; have at it."
9. Be ready to showcase training for employees and all others who have access to protected health information.
It's important to demonstrate that every employee, as well as independent physicians with admitting privileges, volunteers, consultants, contractors and anyone else with access to patient information has received HIPAA compliance training, McMillan says
Organizations must be prepared to produce detailed records of training because an auditor may, for example, ask for evidence of when and how certain staff members were trained, he warns.
10. Embrace the audit and help the audit team know your organization.
"The fact that an auditor may have audited other healthcare organizations does not equate to knowing your unique environment or having an immediate appreciation for how you manage risk," McMillan stresses. "So be prepared to start the audit off with an orientation to your organization and your security program."
He stresses: "An auditor can come to the wrong conclusion if he doesn't truly understand what you are doing."