What is a HIPAA Compliance Audit?
With a continued focus on cybersecurity and protection of personal health information (PHI), certain entities may find their clients asking whether you are compliant with HIPAA. To determine whether you are compliant, a HIPPA Compliance Audit could be performed.
What is a HIPAA Compliance Audit?
A typical HIPAA compliance audit is if often a comprehensive audit that includes an entity’s compliance with HIPAA guidelines with respect to privacy and protection of PHI including notification of any breaches of data. There are different requirements depending on whether you are considered a “covered entity” or a “business associate”. If you are considered a “business associate,” where your company accesses, works with or houses data that is protected under HIPAA, you are required to be in compliance with HIPAA. A portion of this compliance is related to security standards that an entity must have in place to be compliant. Within the HIPAA Security Standards there are three safeguard categories, 18 Security Standards, and over 35 implementation specifications.
HIPAA Security Safeguards
HIPAA Security safeguards include Administrative Safeguards, Physical Safeguards, and Technical Safeguards. A listing of these safeguards and standards categories are provided below:
- Administrative Safeguards
- Security Management Process, Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency Plan, Evaluation, Business Associate Contracts and Other Arrangement
- Physical Safeguards
- Facility Access Controls, Workstation Use, Workstation Security, Device and Media Controls
- Technical Safeguards
- Access Control, Audit Controls, Integrity, Person or Entity Authentication, Transmission Security
Under each of these security standards are implementation specifications that are either required to be HIPAA compliant or are addressable. Addressable standards can be implemented by the business associate but are not required to be HIPAA compliant. Under each of these addressable standards, a business associate can determine whether this standard is applicable to them and provide a response as to why they are not implementing the standard. HIPAA also includes standards related to notification of breaches as a requirement as part of the standards.
What is involved in a HIPAA Compliance Audit?
In a HIPAA Compliance audit, a qualified auditor will perform inquiries, examine support, and observe evidence of the controls that are in place at the entity. These controls will also be reviewed for compliance with the applicable HIPAA Security standards and Breach Notification criteria. Depending on the number of controls, a HIPAA Compliance audit could take several weeks to conduct.
Similar to a SOC report, at the conclusion of the audit, the auditor will issue a report noting the results of the audit. This can include whether exceptions were found during the testing and can be provided to clients to confirm that your company is compliant with the applicable HIPAA standards.
McKonly & Asbury is experienced in assisting clients in identifying and implementing the controls needed to pass a HIPAA compliance audit. Please contact us if you have questions about the process or are ready to move forward with a HIPAA assessment.
About the Author
Chris joined McKonly & Asbury in 2019 and is currently a Supervisor with the firm. He is a member of the firm’s Audit & Assurance Segment, serving the manufacturing industry and SOC practice
