Healthcare organizations are potentially subject to audits by the US Department of Health and Human Services (HHS), under the Health Insurance Portability and Accountability Act (HIPAA). These HIPAA Audits review how the organization uses and protects the electronic protected health information (ePHI) it holds, and whether this usage is in compliance with the HIPAA Privacy Rule and the security is in compliance with the HIPAA Security Rule.
(The Privacy Rule also covers paper protected health information, PHI). HIPAA violations can be penalized very severely, with a maximum fine of $1.5 million per incident. Most of these fines occur after data breaches, and most involve both:
- not conducting an accurate and thorough HIPAA security risk assessment/analysis of the threats to ePHI, and
- improper access to PHI, on the part of employees or outsiders.
In the future, healthcare organizations can expect increased scrutiny around the integrity of ePHI (you don’t want to give Type A blood to a patient whose Type B) and around the use and misuse of genetic information, but currently those two are the most common audit findings under the HIPAA Regulations.
The OCR HIPAA Compliance Audit Checklist – Start Here
Almost all HIPAA Audits will be conducted by HHS’ Office for Civil Rights, OCR. These HIPAA Audits are the result of either a reported data breach or a complaint to the Secretary of HHS. (There are also random OCR HIPAA Audits, but these are so rare as to be negligible). OCR has helpfully published the HIPAA Audit Checklist template that they will use on their website, which is a great start for your organization’s HIPAA Audit Checklist – but only a start.
The reason that OCR’s HIPAA audit checklist template is only a start, and that each organization must develop its own, customized, HIPAA audit checklist, is that OCR’s checklist includes many repetitions of the phrase “Evaluate and determine if the process used is in accordance with [the] related policies and procedures.” Which means that you’ll be audited against not just the HIPAA regulations, but against your own internal policies and procedures.
Developing a HIPAA internal audit checklist for your organization
The best way to prepare for a HIPAA Audit, from OCR, CMS, or a business partner, is to “beat them to the punch” and perform a HIPAA internal audit yourself. The process is tedious, but straightforward. You first download OCR’s HIPAA Audit Checklist from the site above. It is listed in a table format that’s easy to export into Microsoft Excel. Once it’s downloaded, format it to your liking for readability and ease of use, such as identifying the owner of a policy or procedure, or assigning due dates for tasks.
Then, for every line item in OCR’s HIPAA Audit Checklist:
- Identify the policies and procedures that your organization has that meets the requirement. For example, next to the HIPAA IT Audit Checklist clause “Review documentation regarding how requests for information systems that contain ePHI and access to ePHI are processed”, list or link to your organization’s Access Management policy and/or procedure. If you don’t have one, identify the clause as a gap. (For a HIPAA Privacy Audit Checklist template, just use the relevant section of OCR’s HIPAA Audit Checklist. We’ll use the HIPAA Security Audit Checklist in this article.)
- Determine if your policies and procedures are ticking all the boxes of the “elements to review”, or if they need some editing and expansion. For example, your Access Management policy and/or procedure should have a section on how a supervisor’s approvals of access rights are verified.
- Determine if you’re following your internal policies and procedures. This seems obvious, but many healthcare organizations write policies to reflect a desired future state, or that have many undocumented exceptions, rather than as a rule to follow. (Exceptions Management – what to do when you aren’t following your own policies – could be the topic of a whole separate blogpost). Be honest here, as there’s no point in fudging for an internal audience.
- Identify any additional requirements of your policies that are above and beyond the HIPAA HITECH Audit Checklist requirements. In our example, your Access Management policy may require two levels of supervisory approval for access to a very sensitive system. That is not a requirement of the HIPAA Security Rule, but if it is in your policies, it’s a requirement for you. And yes, this fact creates an incentive for “bare minimum” policies. Add an extra column next to the CMS HIPAA Audit Checklist requirements for these additional, local requirements. This will be Column F if you follow the OCR HIPAA Audit Checklist format very closely.
- Determine what evidence of following them is available. Some evidence may be required by policy, such as the two levels of supervisory approval in our example above. Some may naturally occur as part of implementing the policy, as in a user’s initial ticket to request the access he needs. List this evidence, and how to obtain it, in new column to the right – this will be Column G if you follow the OCR HIPAA Audit Checklist format very closely.
- List any gaps that you’ve identified in Column H, or whatever the correct column name is in your own spreadsheet. There are three separate kinds of gaps (though of course you can combine all three if you have nothing at all):
- A Policy Gap: You don’t have any policy or procedure that addresses the HIPAA requirements
- An Implementation Gap: You have a policy/procedure, but you’re not following it
- An Evidence Gap: You are following it, but have no evidence to show this fact.
- To close a Policy Gap, first write a draft policy that addresses all the “Elements to Review” listed in the OCR HIPAA Compliance Audit checklist. The language OCR uses is bureaucrat-ese, so it may take a few read-throughs and discussions to understand what they want. Send the draft policy through your organization’s typical review and approval process, and publish it in the typical place for organizational policies. (If you have neither an approval process or place to publish policies, you have other problems than a HIPAA Audit). Make sure the policy is one that your organization can and does implement, since you don’t want to close a Policy Gap by creating an Implementation Gap.
- To close an Implementation Gap, implement the policy. This is often easier said than done, of course. Many of our clients have very well-written, thorough policies that are not even close to being followed. At Techumen, we believe a basic policy, that is well-implemented, is much better than an eloquent, standard-centered policy that is ignored. You can always make a documented policy stronger if needed, but a policy that is ignored is much less visible. If your policies are closer to “wishful thinking” than “rough but helpful guide”, it may be time to revise. If implementing your brilliant policies would cost a lot of time, effort, or money, it may also be time to revise. Make sure that your revised policy addresses all the “Elements to Review” listed in the OCR HIPAA Compliance Audit checklist, but there’s usually very little need to go above and beyond that. If the minimum weren’t enough, it wouldn’t be called the minimum.
- To close an evidence gap, change your processes to produce evidence. Ideally, at least some part of your processes are automated and produce evidence with little, or no, human intervention. Using our prior example of Access Management Policies, many ticketing systems will automatically tag/label a supervisor’s approval and keep it for a defined retention period. This is much less burdensome, and can generate much more evidence, then asking a busy supervisor to write an email saying “Approved” or requiring a paper sign-off. Evidence of processes in place is not needed very often, nor is it needed promptly, so there’s no need to design for evidence that is quick and easy to retrieve. The fact that evidence exists, and can be gotten with some effort, is enough.
That was a lot of words. It may be easier to visualize a concrete example, for the Access Management safeguard discussed above. (There will be 73 line items for the Security Rule, 89 for the Privacy Rule, and 19 for the Breach Notification Rule, depending on how you count):
|HIPAA Safeguard||OCR Audit Protocol||Internal Policies & Procedures||Internal Requirements||Evidence||Gap?|
|§164.308(a)(4)(i): Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.|
– Obtain and review the policies and procedures to determine that they reasonably and appropriately restrict access to only those persons and entities with a need for access.
– Also obtain entity’s policies and procedures related to minimum necessary [45 CFR 164.502(b)] and safeguards [45 CFR 164.514(d)] to determine that the policies and procedures subject to this inquiry support an entity’s compliance with the minimum necessary requirement and safeguards requirement that limit unnecessary or inappropriate access to and disclosure of protected health information.
– Evaluate and determine whether the technical implementation of the access controls used by the entity support the minimum necessary policies and procedures and are consistent with the Privacy Rule safeguard policies.
Policy 530, Access Management
Policy 531, Minimum Necessary
Procedure 1531, Access Management Procedure
Procedure 1532, Remote Access Approval Procedure
Policy 530 requires:
-Two levels of approval for access
-Assignment to a pre-existing user role in Active Directory
-Separate authorization for Remote Access
-Termination of a departing user within 48 hours
1. Completed access request tickets in Jira
2. Completed access review tasks in Jira
3. Termination request tickets
|Yes. Access reviews are not consistently performed.|
Completing the HIPAA Audit Checklist
You’ve developed your organization’s HIPAA Security Audit Checklist, identified all the gaps in your current state, and you have a plan to close those gaps. Be sure that each gap has an owner responsible to close it, and a deadline for its closure.
You don’t have to close every gap immediately to satisfy an auditor, whether that auditor is from Health and Human Services or from your biggest customer. You do need to have a detailed plan for each gap, with accountable persons and realistic deadlines for closing them – saying “We’ll get to this by August 2112” does not qualify as a good plan. But by developing the HIPAA Internal Audit checklist above, methodically following the compliance audit process, and being forthright about what your organization can and cannot achieve, you will be well prepared to face the Office of Civil Rights.
Contact Us today and get more information about our HIPAA consulting.