HIPAA Audit: Compliance for Security
The Department of Health and Human Services' (DHHS) Office of e-Health Standards and Services released 2 page document with the list of Sample - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Audit Reviews.
To download PDF: Official DHHS released HIPAA Audit Checklist
The HIPAA Security Rule establishes very clearly the requirements for the Risk Management implementation specification, the Audit Controls standard and the Evaluation standard:
Risk Management Implementation Specification
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Audit Controls Standard
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI (e-PHI).
Perform a periodic technical and non-technical evaluation to demonstrate and document compliance with the entity’s security policy and the requirements of the HIPAA Security Rule.
The Risk Management standard requires that organizations on a regular basis identify, select, and implement controls, countermeasures, reporting and verification to achieve an appropriate level of risk at an acceptable cost.
Organizations must also repeat the process of identification of all vulnerabilities to electronic PHI as well as other information assets and determine appropriate security measures to reduce risks to a reasonable and appropriate level.
All organizations should go beyond just meeting HIPAA Security Rule compliance requirements. The compliance requirements are limited to electronic PHI. Organizations must evaluate their security requirements for not just all PHI, but all information assets. The requirement for evaluating if compliance requirements have been met may be done internally or with an external resource or jointly.
The Security Rule requires that covered entities periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity’s security policy and the requirements of the Security Rule.
Objective of HIPAA Audit and Evaluation for ComplianceThe objective of HIPAA Audit includes the following activities:
1. Assess if all vulnerabilities have been addressed.
2. Verify that all compliance requirements have been met.
The objective of risk management is to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
The NIST defines risk as the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. Risk is a function of the likelihood of a given threat-sources exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.
Security professionals generally define risk management as a process for identifying, selecting, and implementing controls, countermeasures, reporting, and verification to achieve an appropriate level of risk at an acceptable cost.
The objective of the Audit Control standard is to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Organizations will need to review mechanisms that must be deployed to record and examine system activity to determine suspicious data activities. The audit capability must be such that it enables tracing not just to the device but also to the user. The security policy must hold individuals responsible for their actions. The policies lead to procedures to follow in the event of audit alarms or discrepancies.
The organization should define who may access the systems audit log data and provide for secure storage and protection of the system log data, especially for data which contains protected health information. Audit trails may become evidence in legal proceedings, so care should be taken to protect their integrity in order to preserve their usefulness for such purposes.
The objective of the Evaluation standard is to perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.
It is required that covered entities periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity’s security policy and the requirements of the Security Rule. Covered entities must assess the need for a new evaluation based on changes to their security environment since their last evaluation. This evaluation may be performed internally or by an external accrediting agency, which would be acting as a business associate. The evaluation would be to both technical and non-technical components of security.
Strong audit trails are a critical component of an organization’s security strategy and help the entity ensure the confidentiality, integrity and availability of e-PHI and other vital information and avoid any HIPAA law violations.
Sample - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Audit Reviews
Let us help you in completing your HIPAA compliance with an audit.
Please contact us for more information at firstname.lastname@example.org or call (515) 865-4591.