The US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is the government body that enforces the Health Insurance Portability and Accountability Act (HIPAA) laws. Their HIPAA Audit Program (to use its full name, The HIPAA Privacy, Security, and Breach Notification Audit Program) examines both HIPAA Covered Entities and Business Associates to assess their compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
Health care organizations, depending on the circumstances, face fines of up to $1.5 million for each violation, in addition to the bad publicity of a HIPAA Audit Report. Between the initial document requests OCR will make, the follow-up questions they’ll ask, and the evidence they’ll seek, it can easily be several hundred items, and many hours of effort, to submit documents that address each point. At this point, investing a qualified HIPAA security risk assessment can save a company thousands if not millions of dollars and massive headaches down the road.
For those HIPAA Covered Entities and Business Associates who want to prepare for a possible audit, and/or know they’re not ready for the full HIPAA Audit Checklist, this article discusses the basic HIPAA Audit requirements.
List of HIPAA Audit Requirements
To prepare for a HIPAA Audit, on the part of OCR or of a business partner, obtain your organization’s:
- Information System Asset Inventory: What electronic protected health information (ePHI) does your organization hold, and on what systems is that information used, stored, or transmitted?
- Security Violations Policy: When you discover a security violation, what will you do?
- Risk Analysis Policy: How frequently will you perform a risk analysis? What methodology will you use? What criteria for risk determination will you use?
- Risk Management Policy: What will you do with the risks that are discovered?
- Sanctions Policy: When users misbehave, or are careless, what penalties will they suffer?
- HIPAA Audit Log Requirements, including log-in monitoring (a/k/a Information System Activity Review Policy)
- Security Official Contact Information: Name, title, and email.
- Access Management Policy: How will you authorize, grant, modify, remove, and review Access Rights to PHI? Make sure this covers your own employees, and any non-employees with access, such as customers, contractors, and partners.
- Security Awareness and Training: How and how frequently will your staff be trained? How will periodic security reminders be sent? Where will you keep the training records, and how will you audit your training requirements for HIPAA?
- Antivirus Policy: What is your standard anti-virus software? How often will it update? What will be done upon detecting a virus?
- Password Policy: How complex are your passwords? How often must they change?
- Incident Management Policy: When some bad event happens, what will you do? This should include how you will comply with the Breach Notification Rule, should it be needed.
- Disaster Recovery and Business Continuity Plans: How will you restore data and continue operations in an emergency?
- Evaluation Policy: How will your internal audit process review your own safeguards? For example, how will you audit training requirements? HIPAA requires some training, but the specifics are left to the organization – but whatever the policy, it must be followed.
- Business Associate Policy: How will you manage the risk from the third parties you work with?
- Facility Security Plan: How will you secure your workspace from physical threats?
- Device and Media Controls Policy: How will you add, manage, re-use, and dispose of hard drives and other electronic devices? Waving a magnet over them is not enough.
- Access Control Policy, including Unique ID, Emergency Access Procedures, Automatic Logoff, and Encryption Policies: How will you protect your information from unauthorized use?
- ePHI Integrity Policy: How will you keep your information accurate and valid? You don’t want to overlook an allergy to a medication, for example.
- HIPAA Documentation Policy: How will you manage all these policies?
(This last item may seem deceptively simple. A HIPAA Documentation Policy should describe where to keep your HIPAA Documents, how long to keep them, when and how to review and update them, and who can view them. This should address not just your policies, but all the other documents these policies produce, such as your organization’s HIPAA audit logs retention requirements, risk management decisions, audit reports from your internal evaluations, and security decisions and their outcomes.)
For each of these HIPAA Audit Requirements, you should determine:
- Do these required policies and procedures exist;
- Are they followed; and
- Are they reasonable and appropriate?
HIPAA Audit Log Requirements
“Reasonable and appropriate” is a judgement call, but some things are self-evident. If your organization’s HIPAA audit trail requirements are “keep logs for 24 hours”, that’s not reasonable nor appropriate.
If your Password Policy states “users must have a password”, that isn’t either. The size and budget of your organization does effect what’s “reasonable”; that which is “reasonable” for Kaiser Permanente is not going to be reasonable for a solo physician practice, and vice versa.
Your organization’s HIPAA audit log retention requirements should be somewhere in between those two. In practice, most organizations without Kaiser’s budget keep HIPAA audit logs for as long as disk space is available, then overwrite the oldest events first.
At Techumen, we believe that an OK policy, well understood and thoroughly implemented, is better than a perfect policy that isn’t quite within reach.
And HHS agrees with us – an organization that does not follow its own policies is typically penalized more harshly than one that does, even both have similar breaches. Whatever policy you document, make sure it is implemented across the organization.
The HIPAA Audit Requirements are long and tedious, but straightforward and based on public information. A methodical review of your organization’s policies, and how completely, or not, they are followed, will prepare you well for a HIPAA Audit.