Linford & Company provides HIPAA Compliance audits that are designed to assess an organization’s risk management and regulatory compliance effectiveness. Most engagements are scoped to include the requirements of the HIPAA Security and Breach Notification Rules. Optionally, the engagement scope can be expanded to include the requirements of the HIPAA Privacy Rule, as well as state privacy and security laws and regulations. The HIPAA Compliance report may be distributed to clients and prospective clients. We also perform HIPAA Compliance Assessment reports for the internal use of management.
A typical audit for HIPAA Security and Breach Notification Rule compliance includes the evaluation of the administrative, physical, and technical safeguards as they relate to the electronic protected health information (ePHI) an organization creates, receives, processes, maintains, and/or transmits; as well as the evaluation of the organization’s policies, procedures, and overall readiness to manage a breach of protected health information (PHI) in accordance with the notification requirements.
This form of report is issued under attestation standards established by the American Institute of Certified Public Accountants (AICPA); specifically, AT-C Section 315, Compliance Attestation. Reports issued under AT-C Section 315 express an auditor’s opinion on an organization’s compliance with the requirements of specified laws and regulations; in this case, the HIPAA security- and breach notification-related requirements. A report issued in accordance with the provisions of AT-C Section 315 does not provide a legal determination of an entity’s compliance with specified requirements; although, such a report may be useful to legal counsel or others in making such determinations.
A HIPAA security compliance report is useful to any HIPAA covered entity or business associate that must demonstrate compliance with the HIPAA requirements. The following are examples of how audit reports are used:
- Service organizations or service providers (e.g., providers of colocation services, managed services, cloud services, software-as-a-service, outsourced transaction processing, etc.) may provide the report to potential or existing customers to satisfy them that the systems environment where they store ePHI is HIPAA-compliant. These organizations are known in HIPAA as “business associates” and are required to sign a business associate agreement with each HIPAA-covered entity for whom they provide such services.
- Healthcare provider and payer organizations may desire such a report to gauge the effectiveness of their privacy and security compliance programs and to make improvements.
- Healthcare provider and payer organizations may require the report for their most critical services providers (i.e., business associates) to ensure that such organizations are compliant with the HIPAA requirements and to increase the likelihood that the threats, vulnerabilities, and risks to ePHI have been identified and addressed.
Linford & Company performs each audit engagement using a proven phased approach to deliver the utmost value to each organization. Throughout all phases of the HIPAA audit, we will capture and share knowledge and best practices for use throughout the organization. For more information, please contact us.