HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection, as regulated by the U.S. Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR). Importantly, HIPAA sets strict rules for both covered entities (including anyone providing treatment, payment, and operations in healthcare) and business associates (defined as anyone who has access to patient information and provides support in treatment, payment, and operations). HIPAA mandates entities and associates with access to Personal Health Information (PHI) must have technical, physical, and administrative safeguards to protect the integrity of that information.

Because of these rules, and the ramifications associated with non-conformity to the established standards, a HIPAA security compliance report is useful to any entity or business associate that must demonstrate compliance with the requirements. McKonly & Asbury is equipped to assist businesses, large and small, in achieving HIPAA compliance, with a proven approach that is efficient and effective while minimizing disruption.

Selecting a HIPAA Compliance Auditor

When selecting a HIPAA compliance auditor, organizations want to work with knowledgeable professionals. McKonly & Asbury brings a multidisciplinary team that understands the depth, breadth, and nuances of reporting on HIPAA internal controls. Our firm draws on our proven technical experience, developed in evaluating, creating, establishing, and auditing the internal IT controls of an incredibly diverse client base. We combine and coordinate that with the exceptional knowledge and insights of professionals from our dedicated healthcare practice. In short, McKonly & Asbury provides our clients with the tools and insights they need to develop internal control environments that meet the requirements of their customers, business associates, and, perhaps most importantly, HHS and OCR.

The majority of McKonly & Asbury’s engagements are scoped to include the requirements of the HIPAA Security and Breach Notification Rules, which established requirements to provide notification following a breach of unsecured protected health information. The scope can be expanded to include the requirements of the HIPAA Privacy Rule, individual state privacy and security laws and regulations, and other criteria deemed appropriate by the organization.

HIPAA Preassessment

McKonly & Asbury begin with a preassessment, which is critical to ensure the organization’s controls are designed and operating effectively for the HIPAA audit period. This preassessment is completed before the audit period commences for most of our client engagements. McKonly & Asbury engages our clients to map and detect gaps between their existing processes and controls in comparison to established HIPAA requirements, as well as any additional agreed-upon criteria, such as the aforementioned state privacy and security laws and regulations. After the preassessment, the organization selects an audit period.

HIPAA Audit

McKonly & Asbury’s team then commences the audit, bringing a multidisciplinary team of healthcare, IT, cybersecurity, and internal audit and controls professionals to the engagement. Our deep knowledge of these areas, coupled with our years of experience working together, serve to minimize disruption to our clients. Furthermore, our advanced planning process enables our clients to appropriately time the availability of resources and personnel, further enhancing the efficiency of the audit.

After the audit, McKonly & Asbury will produce a confidential report, opining on the design and operating effectiveness of the organization’s controls in comparison to the HIPPA requirements, as well as any additional agreed-upon requirements established at the beginning of the audit engagement. The decision regarding how this document is utilized is at the discretion of the organization, including its use as an internal document used by management to gauge HIPAA compliance, or as an externally facing document to provide security assurance to prospective or current clients or customers.