A HIPAA Audit Checklist So Good Your Auditor Will Fall in Love!
(And So Will Your Business Associates!)
If you are in the Healthcare Industry, you may be in the stressful process of getting your documentation in place before the 2015 HIPAA audits begin. You are not just responsible for producing your own documentation. You will also be need to produce compliance documentation from your Business Associates, or BAs. Business Associates can include software providers, Data Centers, Managed Service providers, or Hosting companies.
Why? Because if your BA has a breach of Patient Records, also known as Private Healthcare Information (PHI), and the BA doesn’t have accurate documentation explaining the security measures they have in place, you—the Covered Entity (CE)—could be responsible for paying damages.
A Checklist For Your HIPAA Audit
Having all of your audit documentation ready and in order might make your HIPAA Auditor love you! But what do you need?
What You Need From Your Business Associate (BA)
Before you sign an agreement, have your prospective BA invest in an independent risk assessment audit. If they haven’t, think twice about giving them your business. If they have, ask them to produce their risk assessment report for you to review.
A risk assessment audit, among other things, will reveal where the BA stands on basic security-pillars.
- Administrative compliance
This pillar includes the PEOPLE side of security. It outlines process management, assigned responsibilities, information access, and awareness training. It’ll also include incident procedures, and disaster preparedness.
- Physical compliance
This pillar includes PEOPLE but it’s more about process FAILSAFES. It includes contingency operations, access control and validation procedures, as well as maintenance records. Workstations and device management also fall under this category.
- Technical compliance
This pillar includes PEOPLE and their engagement with Electronic SYSTEMS. It outlines access controls, including unique user ID, emergency access procedures, automatic logoff, and encryption/decryption methodologies. System integrity, authentication, and transmission all fall under this banner.
- Organizational compliance
This is pillar concerns ENTITIES and includes BA contracts and requirements for group health plans.
What a Business Associate Agreement Outlines
A Business Associate Agreement outlines, in detail, the different roles and responsibilities of the BA. These roles include:
- Obligations and Activities
- What NOT to disclose PHI outside of permissible limits
- What constitutes Appropriate Safeguards
- Risk Mitigation measures
- Reporting of PHI use and disclosures
- BA Outside Contractor Compliance
- CE Access Upon Request
- CE Modifications as needs arise
- CE Review of BA Practices
- BA Document Disclosures
- WHERE physical access points [computing device] occur and HOW they’re secured
- WHO oversees devices and redundancies to prevent loss
- WHO from the BA notifies the Covered Entity of breaches and within what time frame
- WHAT information appears on the notification
You should even outline what happens to your PHI data after you, the CE, migrate to a different BA.
A good way to make sure you are covering the full range of services is to meet with your internal disciplinary team and walk through “WHAT IF” scenarios. Identify the WHO, WHAT, WHERE, WHEN, WHY and HOW actions ahead of time and document these decisions. This will help HIPAA Compliance, but form an internal document your entire team can follow.
Protected Health Information (PHI) Breach Insurance Coverage
Make sure you understand and document what your BA’s Privacy/Data Breach Insurance covers. Their policy should outline:
- Cost of notification to
- Patients and Physicians
- Government agencies
- Media announcements
- Review of evidence
- Discipline and retraining of workforce
- Legal fees
- Court costs
- Levied fines and penalties
- Who pays?
Documentation is key when you are being audited. When you do a self-audit, check back with your BA to make sure their coverage has not lapsed or changed. Confirmation of your coverage should appear in the Business Agreement.
Policy Training for all people with access to PHI
What will your BA workforce do in the event of a power outage, natural disaster, or equipment failure? Do they hold regular drills? You should make sure they provide you with their in-house policies and procedures document. Make no assumptions. When you are in an audit, you must be able to point to what your BA has stated they will do. All of this IT security compliance must appear in your HIPAA documentation, both yours and your BA’s.
It is not only information that is at stake. People’s medical files must remain accessible 24/7/365. You DO NOT want files to go missing, especially when you are in the middle of someone’s medical emergency.
Healthcare IT security compliance is painful. It forces providers to work through the new regulations, to adjust current procedures, to clearly communicate these process changes to staff, and to self audit to ensure you are in compliance.
But It Is All Designed To:
- Protect the patient’s privacy and medical records
- Keep information contained to the least amount of people
- Ensure your BA’s and vendors are also safeguarding that information
- Assure that procedures are in place and staff is trained in protecting that information
Your patients and staff will appreciate these efforts.
Source White Paper: HIPAA Compliant Hosting, Online TECH (subtitle: HIPAA Compliant Data Centers), pp. Section 5, Vendor Selection Criteria.