HIPAA Compliance Audits
Linford & Company provides HIPAA compliance audits that are designed to assess an organization’s risk management and regulatory compliance effectiveness. Most engagements are scoped to include the requirements of the HIPAA Security and Breach Notification Rules. Optionally, the engagement scope can be expanded to include the requirements of the HIPAA Privacy Rule, as well as state privacy and security laws and regulations.
HIPAA Security Compliance Audit Scope
A typical audit includes an evaluation of the administrative, physical, and technical safeguards as they relate to the electronic protected health information (ePHI) an organization creates, receives, maintains, and/or transmits. Audits are performed through interviews, observation of processes and physical security measures, inspection of documentation, inspection of the configuration of the technical systems environment, compliance testing of key controls, and examination of business associate and subcontractor agreements, among other activities.
The scope of most engagements includes the following:
HIPAA Security Rule:
- Administrative Safeguards (HIPAA § 164.308)
- Physical Safeguards (HIPAA § 164.310)
- Technical Safeguards (HIPAA § 164.312)
- Organizational Requirements (HIPAA § 164.314)
- Policies and Procedures and Documentation Requirements (HIPAA § 164.316)
HIPAA Breach Notification Rule
- Notification to Individuals (HIPAA § 164.404)
- Notification to the Media (HIPAA § 164.406)
- Notification to the Secretary (HIPAA § 164.408)
- Notification by a Business Associate (HIPAA § 164.410)
- Law Enforcement Delay (HIPAA § 164.412)
- Administrative Requirements and Burden of Proof (HIPAA § 164.414)
Gaps in Compliance
It is not uncommon for gaps in compliance to exist upon the conduct of an audit. Linford & Company works with our clients to identify these gaps and recommend a plan of action to remediate and close them. This often entails providing compliance advice, sanitized samples of required artifacts, and templates to assist in the completion of the remediation plan. Subsequent to the closure of any gaps in compliance and upon satisfactory completion of compliance testing, Linford & Company may issue a compliance attestation report, if desired.
AICPA AT Section 601 Reports
This form of report is issued under attestation standards established by the American Institute of Certified Public Accountants (AICPA); specifically, AT Section 601, Compliance Attestation. Reports issued under AT Section 601 express an auditor’s opinion on an organization’s compliance with the requirements of specified laws and regulations; in this case, the HIPAA security- and breach notification-related requirements. A report issued in accordance with the provisions of AT Section 601 does not provide a legal determination of an entity’s compliance with specified requirements; although, such a report may be useful to legal counsel or others in making such determinations.
Why Get the Report?
A HIPAA security compliance report is useful to any HIPAA covered entity or business associate which must demonstrate compliance with the HIPAA security-related requirements. The following are illustrations of how audit reports are used:
- Service organizations or service providers (e.g., providers of colocation services, managed services, cloud services, software-as-a-service, outsourced transaction processing, etc.) may provide the report to potential or existing customers to satisfy them that the systems environment where they store ePHI is HIPAA-compliant. These organizations are known in HIPAA as “business associates” and are required to sign a business associate agreement with each HIPAA-covered entity for whom they provide such services.
- Healthcare provider and payer organizations may desire such a report to gauge the effectiveness of their privacy and security compliance programs and to make improvements.
- Healthcare provider and payer organizations may require the report for their most critical services providers (i.e., business associates) to ensure that such organizations are compliant with the HIPAA requirements and to increase the likelihood that the threats, vulnerabilities, and risks to ePHI have been identified and addressed.
Linford & Company performs each audit engagement using a proven phased approach to deliver the utmost value to each organization:
- Phase I: During the planning phase of the HIPAA audit, we define the expectations and goals of the compliance audit and document a description of the ePHI environment in scope. Depending on the services the organization provides, some sections within the Security Rule may not be applicable from a service provider perspective.
- Phase II: Walkthrough and evaluate the design of controls supporting compliance with the HIPAA requirements in scope.
- Phase III: Test the operating effectiveness of identified key controls.
- Phase IV: Gain agreement with management on findings and report our results in a clear and concise report that may be shared with business associates.
Throughout all phases of the HIPAA audit, we will capture and share knowledge and best practices for use throughout the organization.