Are You at Risk for a HIPAA Audit?
As OCR continues its rigorous HIPAA audit process, recent years have seen record investigations and enforcement. A robust and compliant HIPAA security program is critical to passing a HIPAA audit– or avoiding one altogether. Find out if you need to be HIPAA compliant and what you're doing right now that could trigger an audit.
So, are you at risk?
Whether you operate as a Covered Entity (CE) or Business Associate (BA) under HIPAA regulations, you must follow HIPAA protocols and remain compliant. More than a suggestion, HIPAA compliance is a set of requirements enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and you must be prepared to respond to an OCR request in the event you've triggered a HIPAA audit.
The common misconception is that the OCR audits occur randomly, and the department shows up on-site unannounced to check your compliance state. Fortunately, that is not the case.
When OCR comes on-site for a HIPAA audits, it's because they've been notified of a serious issue. HIPAA audit requirements cover a range of probing, detailed investigatory processes, and depending on the nature of the violation, OCR's investigation can result in hefty fines, restrictions, and even criminal prosecution.
What information needs to be protected?
Under HIPAA regulation, patients have the right to have their protected health information (PHI) kept private and safe from breaches and malware incidents. HIPAA defines PHI as any demographic information that can identify a patient directly or be used in their identification. Common examples of PHI include:
- Date of birth
- Phone number
- Insurance ID number
- Medical records
- and more
"Do I need to be HIPAA Compliant?"
Not sure whether you need to be HIPAA compliant? Organizations who provide medical care or submit HIPAA transactions electronically are Covered Entities (CEs) and include (but are not limited to):
- Government Contractors
- Insurance providers
- Nursing homes
- Medical practices
- Other Health Care Organizations
Business associates (BAs) are vendors often hired by CEs to handle or manage protected health information (PHI) on their behalf and often include (but are not limited to):
- IT providers and consultants
- Medical record storage providers
- Law office or accounting firms
- Document shredding companies
- Answering service agencies
- Medical practice management firms
- Medical device makers
- Collections agencies
- Medical billing and coding companies
- Medical transcriptionists
- E-prescription services
- and many more
Put simply, if your company handles PHI in any form, you need to be HIPAA compliant.
Are You at Risk for a HIPAA Audit?
All CEs and BAs are subject to HIPAA enforcement. If you are either, you are always at risk of HIPAA complaints, violations, and audit investigations. So you need to be aware of HIPAA audit protocols.
The OCR continues to assert its authority and makes clear that enforcement efforts will continue to target CEs and BAs that fail to meet HIPAA standards.
HIPAA audits don't happen randomly because the OCR lacks the staffing to audit an organization without cause; instead, audits are typically initiated in response to a patient complaint or a reported security event. When you understand why HIPAA audits occur and what triggers a HIPAA audit, you begin to realize an audit could be triggered by anyone, at any time.
Violations occur in organizations of all sizes for many different reasons, and these violations are increasing in size and scope.
Common HIPAA audit triggers
- Patient complaints
- Employee complaints
- Employee mistakes
- Insider wrongdoing
- Third-party mistakes
- Security incident
Unpatched software open to malware and ransomware exploits can happen, but human error remains the primary trigger. Consider how easily a staff member could open a phishing email or how many users have weak passwords without security practices and protocols in place. Sending an email containing PHI to the wrong email address as well as lost or stolen devices are other typical audit triggers, especially if devices and their data are not encrypted.
Did You Know? Ensuring all your devices are encrypted is critical. You overcome a significant audit trigger since you don't need to report lost or stolen encrypted devices.
How to be prepared for a HIPAA audit
In many cases, the initial trigger isn't even where an organization is ultimately penalized. A lost or stolen unencrypted device has to be reported, which may lead the OCR to discover that your business or practice has neglected to provide appropriate HIPAA staff training, you lack proper documentation or business associate agreements.
Documented items include:
- HIPAA policies and procedures
- HIPAA risk Analysis
- HIPAA employee training and testing
- PHI location documentation
- Notice of Privacy Practices
- Software development lifecycles
- Business associate agreements (BAA) and/or enforceable consent agreements (ECA)
- Identified vulnerabilities
- Incident response plan/breach response plan
- Compliant processes and procedures
- List of authorized wireless access points
- List of all devices including physical location, serial numbers, and make/model
- Electronic commerce agreements
- Trading partner security requirements
- Lists of vendors
- Lists of employees and their access to systems
- Diagram of your physical office, including exit locations
- Employee handbook
- Policies and procedures for the Security Rule, Privacy Rule, and Breach Notification Rule
- Disaster recovery plans
- Media disposal log
There no excuse for non-compliance.
The Office of the National Coordinator (ONC) Guide to Privacy and Security outlines the steps you should take to reach compliance and remain prepared for an audit.
For HIPAA compliance, you'll need to appoint a privacy and security officer, perform annual security risk assessments, remediate and document fixes, keep written HIPAA policies and procedures, and provide annual training to every employee. You'll need to understand and implement all seven detailed sections of the guide to survive an audit.
Get ahead now. Don't wait for a HIPAA Audit.
Too many organizations struggle with HIPAA compliance requirements and have been reluctant to protect their data and adequately upgrade their systems.
Ask yourself and your company's leadership teams: if you had a HIPAA complaint filed against you today, are you confident in your HIPAA compliance practices and procedures? Could you sufficiently respond to a HIPAA audit?
HIPAA compliance is mandatory for all healthcare operations. Employees are human and make mistakes. Hospital ransomware attacks are rampant and healthcare cybersecurity breaches are widespread. If an organization fails to employ the appropriate HIPAA practices, OCR does not accept a lack of resources as a valid excuse.
If you are a covered entity or business associate in the healthcare industry burdened by all these HIPAA requirements and don't have time to manage these processes internally, eTrepid can help.
Let us take the necessary steps to uncover your risks for a HIPAA audit and keep you ready to meet the demands of the OCR.