Three steps to prepare for a HIPAA audit
What's the fix?
CEs should take the following immediate actions to prepare for the pending HIPAA audits:
1. Carry out or update the HIPAA risk analysis as required by the Security Rule, update the remediation plan and make progress toward remediating high-priority risks. CEs should also perform a gap analysis of the HIPAA safeguards and implementation specifications to better understand where they lack the necessary controls. Pilot audit results indicate risk analysis was ranked in the top five findings for audited CEs.
2. Establish a HIPAA audit response capability. CEs selected for audit have 15 days to respond to requests for information. CEs need to specify the responsive information control owners will have to provide in the event of audit. Examples of responsive information include:
- Letters of designation for privacy and security officers
- Evidence of how the physical, administrative and technical controls implemented to address HIPAA are operating
- A copy of the preemption analysis for determining the most stringent provisions between HIPAA and other federal, state and local health care laws
- Privacy and security policies, procedures and relevant forms
- A copy of HIPAA training records
- A sample of the current Notice of Privacy Practices, supplemented by archived versions
- A copy of most recent internal privacy and security risk assessments, supplemented by archived versions
- Copies of HIPAA program governance reports submitted to executive management
3. Leverage the publicly available results of the pilot audit program to benchmark the organization against the most common findings. The results suggest the following key areas of weakness exhibited by the CEs involved in the pilot:
- User activity monitoring
- Contingency planning
- Media reuse and destruction
- Risk assessment
These recommendations assume that the organization already has an effective HIPAA governance structure in place to address the complexities of the regulations and the broad number of business stakeholders required to support the program.