Auditing for HIPAA compliance

April 26, 2017

Katherine Downing, MA, RHIA, CHPS, PMP
IG Advisors Senior Director, AHIMA

Since the Office for Civil Rights (OCR) announced its Phase 2 HIPAA Audit Program in March 2016, selected entities were and will continue to be audited on their compliance with HIPAA’s privacy and security rules. OCR did a randomization of all covered entities (CE) as well as their business associates (BA) and selected 167 covered entities for desk audits as well as approximately 40 business associates. Selected entities were contacted via email by OCR and asked to submit documentation via the OCR portal within 10 days of receipt of the request. The requested documentation presented several challenges for the selected CEs, including the turnaround time, requested formats, and information gathering.

The 2016 desk audits were just the beginning of the OCR’s audit plan. On-site audits are expected to begin this year. CEs and BAs may be subject to both types of audits. Privacy, security, and compliance officers need to ensure that they develop and implement regulation requirements, review existing practices, and “kick the tires” to ensure that CEs continue to be HIPAA compliant.

In February, the American Health Information Management Association (AHIMA) released an External HIPAA Audit Readiness Toolkit, designed to provide details about external HIPAA audits and to include government resources and other tools to help an organization prepare for any external HIPAA audit. This toolkit enables the user to understand the requirements for OCR HIPAA Phase 2 audits, including ongoing future audits, and offers guidance regarding audit preparation and recommended practices.

To ensure success with an external OCR audit, every organization should complete internal HIPAA audits using the OCR audit protocols as well as auditing against HIPAA policies. The goal is to identify and mitigate risks and assess internal compliance with policy.

Two HIPAA internal audit case studies

Organizations are investing time on internal audit processes for HIPAA compliance to minimize risk to the organization’s information and reduce the risk and costs of breach and noncompliance.

The two organizations interviewed for this case study indicated the following:

  1. User access audits are a key aspect of an internal audit.
  2. “Walk through” audits are key to recognizing employees’ understanding of the organization’s HIPAA policies and procedures as well as how policies are being implemented throughout the organization.

Auditing user access

There are two steps to reviewing user access. The first is identifying which patients a user accessed in the system. The second aspect is analyzing what a user has the rights to access based on his/her user profile in the system.

Both organizations in this case study have invested in third-party software to monitor user access and provide automated alerts on access risk areas such as employees as patients, VIP patients, managers and organizational leaders as patients, employees who have been terminated, patients with the same last name of the user, patients with the same or similar address to the user, and more. The organizations also have open communications with their human resources departments about employees who are high risk for inappropriate access such as disgruntled employees.

In addition to the automated system audits, the privacy officers also perform audits and random review of access quarterly.

Part of implementing an information governance program in the organization is a review of how users are set up with system access and user group standard access. Often “access creep” occurs where users gain more access than is needed to do their current job function. This can happen as a result of job parameter changes or an employee that moves from job to job in the organization but instead of taking away certain functions additional functions are added.

Walk about audit processes

Both organizations interviewed indicated each area of the organization is visited every 12-18 months during a walk about. This includes the hospital, home health, physician practices, corporate, and other organizational entities.

This internal audit process reviews both compliance with policy as well as security safeguards in place. During these internal audits, the privacy and security officers make sure that PHI and shredding are secure, screens are pointed away from the public, PHI on white boards is per policy, and sign-in sheets are being handled per policy. They also observe interactions with patients and visitors and make sure the notice of privacy practices is posted per HIPAA requirements and that its distribution is per policy. In addition, the auditors ensure that confidential information, such as reason for visit, cannot be overheard.

The staff is interviewed and asked nine questions including the following:

  • How do you report a real or suspected privacy or security issue?
  • How do you release information to patients?
  • What can you leave on a patient’s or family member’s answering machine?
  • How do you verify callers requesting patient information over the phone?
  • Where do you find privacy and security policies?

From a security perspective, the auditors make sure that computers that are unattended have been logged off per policy, passwords are not “taped to the keyboard,” printers and fax machines are not where the public could remove confidential information, that locked rooms are indeed locked, and that badge access to secure areas is being utilized.

Sponsored Recommendations

Addressing Revenue Leakage in Hospitals

Learn how ReadySet Surgical helps hospitals stop the loss of earned money because of billing inefficiencies, processing and coding of surgical instruments. And helps reduce surgical...

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...

Powering a Digital Front Door with a Comprehensive Provider Directory

Learn how Geisinger improved provider data accuracy, SEO, and patient acquisition with a comprehensive provider directory.

Data-driven, physician-focused approach to CDI improvement

Organizational profile Sisters of Charity of Leavenworth (SCL) Health* has been providing care since it originated in the 1600s in France as the Daughters of Charity. These religious...