With stories about security breaches, computer hacking, and stolen personal data making the news daily, we are all concerned about the safety and security of our medical data.

Results of the 2019 HIPAA audits were troubling, and they only appear to be getting worse.

Only 14% of the covered entities and businesses scored a 1, the highest rating, for content breach notification. Only 1% of the covered entities and enterprises scored a 1 for right-of-access. No covered entities and businesses scored a 1 for HIPAA security risk analysis. 

To ensure the safety and privacy of personal medical data and protected health information, the United States government passed the Health Insurance Portability and Accountability Act of 1996. HIPAA is United States federal legislation covering the data privacy and security of medical information.

The public has a right to demand privacy for personal medical data. We trust healthcare providers with our health. It’s only fair to be able to trust them with our protected health information and medical data. HIPAA sets expectations and guidelines, also known as HIPAA compliance, for healthcare providers to protect our medical data.

The Health and Human Services Office For Civil Rights manages HIPAA. They conduct audits to ensure compliance with the covered entities and businesses that handle medical data.

Unfortunately, some businesses struggle with HIPAA compliance guidelines. Healthcare providers have been reluctant and slow to protect data or upgrade their systems. Medical data-based ransomware attacks and healthcare cybersecurity breaches are rampant. Studies show that it costs more than $250,000 and upwards of six months to become HIPAA-compliant. However, many in the healthcare industry don’t have the time or resources to manage the process correctly.

There are steps you can take to prepare for HIPAA compliance audit.

We’ll look at the compliance rules and HIPAA auditing protocols.  Then, go over the steps you can take to meet the demands of an audit and ensure compliance with HIPAA regulations.

Also, we prepared a complete checklist for HIPAA Compliance.

logo for the HIPAA compliant shield

What is a HIPAA audit?

The OCR works closely with health care providers, covered entities and businesses to ensure compliance with HIPAA regulations the HIPAA privacy and security. HIPAA audits are conducted to track progress on compliance and to identify areas where improvement is needed.

To avoid expensive Hipaa violations and fines, secure protected health information. Providers should conduct a risk assessment and take steps to prepare for HIPAA compliance audits.

What Is HIPAA Title II?

While there are five separate sections covered in HIPAA, Title II is the section focused on protecting individual medical information.

Achieving compliance with HIPAA requires meeting the guidelines in Title II. The privacy rule in Title II focuses on Protected Health Information (PHI). It provides laws and standards that protect personal health information, detailing the covered entities and businesses required to abide by HIPPA.

The security rule, the other piece of HIPAA Title II, focuses on the safeguards and protection that must be implemented to safeguard PHI, especially regarding electronically protected health information (also called ePHI). This includes administrative, physical, and technical safeguards as well as organizational requirements and documentation standards. Data security plans and information technology infrastructure are critical to the security rule, which is an area where many healthcare providers struggle.

patients medical records and chart being audited

HIPAA Audit Requirements: 6 Steps To Be Prepared

1. Focus on HIPAA training for employees

Staff training is critical for an understanding of HIPAA compliance requirements. Employees who haven’t been trained or don’t have experience with compliance regulations can increase the risk of a failed audit.

Document your training to show the OCR (Office of Civil Rights), that you are dedicated to employee instruction. Create and publish policies that make training and education a priority. Make sure your team is thoroughly trained before the audit because OCR will ask questions to ensure everyone understands HIPAA regulations and compliance rules.

2. Create a Risk Management Plan and Conduct a Risk Analysis

A risk management plan and a risk analysis are required.

A HIPAA risk analysis looks for any security risks your company might be exposed to – all risks. The risk management plan is a strategy to address those risks.

In conducting the risk assessment, you should also prepare your security documents. Compliance rules state reports should be recorded, written, and kept in an easily accessible location. Rules should be specific to all aspects of your business, and not isolated to one area.

For example, all policies regarding the HIPAA privacy and security rule should be documented. Documents that cover incident response, breach notification, IT and firewalls, and physical security should be included. These documents will not only help in the audit process but provide clear direction in the operation of the business.

woman holding sign for HIPAA Privacy

3. Select a Security Assessment and Privacy Officer

HIPAA requires a security and privacy officer for each covered entity and business. This does not have to be a new hire, but you do need someone responsible for the security and privacy of PHI. They are responsible for showing the effort being made to meet regulations.

The officer should also review business associate agreements. The OCR will discuss the third-party relationships that involve electronic protected health information. Create a list of vendors and suppliers, and the security and safeguards they have in place through the business associates agreement.

This officer should schedule a regular review of security policies and conduct a risk analysis on IT systems and data security. They should also have a record of any breaches or incidents. Don’t try to hide any problems or data breaches during the audit. Be honest. Incidents happen, and the OCR wants to know how you responded to the security breach.

medical professional checking If Gmail HIPAA Compliant

4. Review Policy Implementation

As important as it is to document policies and procedures, it’s also important to see how those policies are being implemented. The OCR will review how those policies and procedures apply to the daily business operation, and if they are implemented consistently.

Talk to your team to see how the policies are working. If employees are struggling to follow policy, then take the time to analyze the problems and make adjustments as needed. Create an implementation schedule to include in the audit. The OCR wants to see the policies in action. If you are still implementing the plans, then show them the schedule, so that they know progress is being made.

5. Conduct an Internal Audit

An internal audit program is the best way to identify problems in your system before the OCR audit. Regularly conducting internal audits will not only help you solve problems before they turn into a fine, but also keep your team sharp and take pressure off during the actual review.

It’s often a good idea to work with an organization that specializes in compliance or data security to help conduct the internal audit. They can review your security and compliance standards and take a close look at your risk analysis and risk management plan. With an outside perspective, they may be able to identify problems that didn’t show up in your internal risk assessment. Partnering with an IT and data security provider will help ensure a complete and thorough internal audit.

As a best practice, review your policies and procedures as the auditor might. Consider if the policies are meeting the intent of the regulation and improving patient privacy and security. By critically analyzing these methods, you can find areas of improvement in both business operations and HIPAA compliance.

6. Create an Internal Remediation Plan

Once you’ve gone through the above steps and conducted an internal audit in preparation for your HIPAA audit, you should create a remediation plan to reduce risks and correct findings. Attach a schedule with timelines to the remediation plan and be prepared to discuss the plan with OCR during the audit.

While HIPAA sets guidelines and standards for protected health information, it’s also essential to see HIPAA as a continual process. A remediation plan and a schedule help to keep covered entities and businesses on track and compliant, even between audits.

Finally, make sure you limit your internal audit concerns to the policies and procedures of your business. While the business associate agreements are an important part of HIPAA, focusing on vendors and suppliers can leave your operations at risk. Your primary concern with the remediation plan and audit should be internal processes.

Healthcare security check conducting a HIPAA compliance audit

Start Preparing For Your HIPAA Compliance Audit

Risk analysis is a critical first step to achieve compliance with HIPAA. Compliance rules are not just crucial for meeting regulations but should be standards of ethical business operation.

Taking the steps above is critical for HIPAA compliance. Work with a HIPAA security compliance expert to review your IT infrastructure. Conduct a risk analysis and identify problems early, before the audit.

As the OCR prepares for the next phase of HIPAA audits, make sure you are ready. Protect your business and the private medical information you are entrusted to keep safe and secure.