HIPAA Audit Checklist
What is an Internal HIPAA Audit Checklist?
An internal HIPAA audit checklist is a document Covered Entities and Business Associates should use to audit compliance with the standards of the HIPAA Administrative Simplification Regulations relevant to their operations.
An internal HIPAA audit checklist differs from an external HIPAA audit checklist inasmuch as an external HIPAA audit checklist is designed to meet specific criteria of OCR´s audit protocol, CMS´ compliance review program, or a third-party´s certification requirements.
By comparison, an internal HIPAA audit checklist is a comprehensive document that covers all areas of an organization´s compliance obligations. However, as different organizations have different compliance obligations, there is no “one-size-fits-all” internal HIPAA audit checklist.
Consequently, Covered Entities and Business Associates should review the following content, determine which standards of the HIPAA Administrative Simplification Regulations are relevant to their operations, and develop an internal HIPAA audit checklist to suit their unique requirements.
Administrative Requirements Audit Checklist
The Administrative Requirements of HIPAA (Part 162) cover areas such as Unique Health Identifiers, Transaction Rules, and Code Set Standards. Covered Entities that conduct claims processing or administration inhouse, and Business Associates that provide billing and claims management services for Covered Entities, are required to comply with the standards of this Part.
Generally, there are only three areas of compliance organizations may need to include on an internal HIPAA audit check list – the operating rules, the transaction rules, and documentation.
- Verify compliance with the operating rules for eligibility, claims status, and electronic funds transfer/remittance advice.
- Test transactions for compliance using the Administrative Simplification Enforcement and Testing Tool (ASETT).
- Document policies, procedures, and test results for when the documentation is required for a compliance review.
While violations of the Administrative Requirements have never yet resulted in a civil monetary penalty, CMS has the authority to fine Covered Entities and Business Associates for noncompliance with Part 162 if an organization fails a review and subsequently fails to comply with a corrective action plan. In the year to April 2022, 51% of organizations failed compliance reviews and were issued with a corrective action plan.
Privacy Rule Audit Checklist
The Privacy Rule only has two basic requirements – to protect individually identifiable health information from impermissible uses and disclosures, and to give individuals rights over their protected health information. Nonetheless, to comply with these two requirements, organizations subject to the Privacy Rule must comply with up to fourteen sets of standards depending on the nature of their operations.
Why “up to” fourteen? This is because, while all Covered Entities are required to comply with the Privacy Rule, some standards do not apply to all types of organization. Furthermore, some Business Associates may be required to comply with specific Privacy Rule standards depending on the service being provided for or on behalf of a Covered Entity and/or on the terms of their Business Associate Agreement with the Covered Entity.
Therefore, all organizations subject to HIPAA compliance should review the following list, determine which apply to their operations, and add the relevant items to an internal HIPAA audit checklist.
- Designate a HIPAA Privacy Officer
Although most organizations will be familiar with this requirement, it is essential a member of the workforce is designated the role of Privacy Officer to be the point of contact for patients/plan members, workforce members, and regulatory agencies. The HIPAA Privacy Officer also has the responsibility to develop and implement HIPAA-compliant policies and procedures.
- Understand What Constitutes PHI
There is a lot of misunderstanding about PHI, due to which some organizations can be unnecessarily overprotective with data, while others can be a little too carefree. Not only is it important to understand what constitutes PHI; but, for the sake of security and efficiency, to develop procedures for securing PHI in the minimum number of designated record sets practical.
- Permissible Uses and Disclosures
Make sure all members of your organization´s workforce understands the difference between required and permissible uses and disclosures of PHI, uses and disclosures of PHI for which an individual should be given an opportunity to consent or object, and uses and disclosures of PHI for which an individual´s written authorization is required.
- Procedures for Obtaining Authorizations
Every Covered Entity should have procedures for obtaining and managing authorizations so that if an individual exercises the right to revoke an authorization, the revocation can be actioned without delay. Procedures should also exist for (for example) withdrawing any information about the patient that has been used in fundraising or marketing material.
- Notices of Privacy Practices
Every patient or plan member must be given a Notice of Privacy Practices when first attending a healthcare facility or enrolling in a health plan. The Notice must contain details of how PHI may be used or disclosed without an authorization, when it may only be used with the individual´s authorization, the rights of the individual to request privacy protection or copies of PHI.
- Procedures for Responding to Requests for Privacy Protection
Individuals have the right to request restrictions on certain uses and disclosures – which can be situation specific – and request to restrict how they are contacted by a Covered Entity or Business Associate. Organizations must have procedures in place to respond to requests for privacy protection, manage requests, and document oral terminations of requests.
- Procedures for Responding to Requests for Access, Correction, and Transfer
The failure to provide access to health information, correct it when necessary, and transfer it to other providers when requested is one of the leading causes of complaints to HHS´ Office for Civil Rights. In an attempt to reduce the number of complaints, the agency is increasing its enforcement action against organizations that fail to respond to requests in a timely manner.
- Procedures for Maintaining an Accounting of Disclosures
Individuals have the right to request an accounting of disclosures of their PHI for the six years prior to the request being made. However, not all disclosures have to be accounted for. Therefore, it is important for Covered Entities to understand which disclosures have to be accounted for and adopt procedures for maintain an accounting of disclosures for each individual.
- Workforce Training
Under the Privacy Rule, the training requirements are limited in scope to members of the workforce to whom HIPAA policies and procedures apply. However, basic HIPAA training should be provided to all members of the workforce in order to mitigate the risk of impermissible disclosures due to a lack of knowledge and reduce the risk of human error.
Documentation is a requirement of nearly every standard in the Privacy Rule, and organizations required to comply with the standards must put procedures in place for documenting policies and procedures, Notices of Privacy Practices, individual authorizations, workforce training, etc. and retaining policies and procedures for at least six years since they were last in force.
Organizations subject to the Privacy Rule should also review the General Provisions of Part 164 – a section of the Administrative Simplification Regulations not covered by a “Rule”. These provisions primarily apply to Hybrid Entities, Affiliated Entities, and Organized Health Care Arrangements, and cover restricting access to PHI to only those who are authorized to access it within their roles and safeguarding PHI from non-covered areas of the organization.
Security Rule Audit Checklist
Compared to the potential complexity of a Privacy Rule audit checklist, a Security Rule audit checklist is relatively straightforward. Not only does the Security Rule contain far fewer standards than the Privacy Rule, but the standards within the Security Rule are less open to interpretation. The Security Standards General Rules also allow Covered Entities and Business Associates a “flexibility of approach” about how the standards are implemented.
Additionally, the Office of the National Coordinator for Health Information Technology (ONC) and HHS´ Office for Civil Rights have jointly produced a HIPAA Security Risk Assessment (SRA) Tool that organizations can use online or download as an Excel document to fulfil the risk assessment requirements of the Security Rule. However, this tool may not be suitable for all organizations; and before using it, it is advisable to consider the following questions:
- Has your organization designated a HIPAA Security Officer?
This can be the same person as the HIPAA Privacy Officer but they need to be qualified for the position inasmuch as they have to design, implement, and enforce security policies and procedures. Ideally, it is best to designate this role to a senior member of the IT team.
- Have you identified from where ePHI originates?
In order to protect ePHI from unauthorized access, disclosure, alteration, or deletion, you have to know from where ePHI originates, where it is maintained, and to where it is transmitted. Effectively, you need to create an audit trail for all ePHI in your organization´s possession.
- Do you know how users access ePHI?
Before using the ONC/OCR Security Risk Assessment Tool, you need to conduct an inventory of devices used to access ePHI and the media on which it is stored. This not only includes onsite devices and servers, but also devices used to access ePHI remotely.
- What security software is already in place?
As a Covered Entity or Business Associate, you are required to implement measures to mitigate threats from malware, ransomware, and phishing. Many organizations already have security measures – such as email and web filters – in place to mitigate threats.
- What role-based access controls are already in place?
Similar to the previous item, many organizations already utilize role-based access controls to control what information users can access. It is far easier to adjust existing controls to comply with the Security Rule standards than start from scratch.
- What other security mechanisms do you already use?
Due to the “flexibility of approach” clause and the fact that some implementation specifications are addressable, it may be possible to comply with many Security Rule standards by enforcing the use of existing security mechanisms – i.e., PIN lock, automatic log-off, password managers, etc.
- What processes already exist for reporting security incidents?
Most organizations should already have processes in place to flag suspect emails, malware, and other anomalies; and these are usually sufficient for internal compliance with the Security Rule – not forgetting that Business Associate are required to report all security incidents to Covered Entities.
- Does the organization already have a security awareness training program?
The likelihood is that most organizations will have some form of security awareness training, and all that may be necessary for the training to meet the requirements of the Administrative Safeguards is to tweak it to be more HIPAA-centric and ensure the training is documented.
- Does the organization enforce a scaled sanctions policy?
Enforcing a scaled sanctions policy is an important step towards HIPAA compliance because it serves as a reminder to members of the workforce that minor or repeated violations of HIPAA can have consequences.
- Does the organization have a contingency or emergency action plan?
Developing a contingency plan for foreseeable emergency events that may threaten the confidentiality, integrity, and availability of ePHI is a requirement of HIPAA. You may need to review the SRA Tool to ensure you have every type of emergency covered.
Although this Security Rule audit checklist is relatively basic with regards to the questions it asks, it is advisable to start a journey to HIPAA compliance by assuming zero knowledge – rather than assume an existing degree of knowledge as the SRA Tool does. Furthermore, when implementing new measures, it is a best practice to test members of the workforce on what information they have absorbed rather than assume they have understood the new measures in one explanation.
HIPAA Audit Log Requirements
Whether you use a Security Rule Audit Checklist or the SRA Tool, it is important not to overlook the HIPAA audit log requirements. The Security Rule requires Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic Protected Health Information.
Audit logs enable Covered Entities and Business Associates to identify risks associated with events such as unauthorized access, impermissible disclosures, application flaws, and suspicious activities. They can also be used to provide forensic evidence following a security incident or data breach so measures can be put in place to prevent a reoccurrence.
The Security Rule does not specify what data needs to be collected by audit logs or how frequently logs should be reviewed. HHS´ also acknowledges that different software solutions and applications record and examine system activity in different ways. For this reason, it can be beneficial for Covered Entities and Business Associates to implement HIPAA compliance software that can monitor all system activity and flag issues for further investigation.
Breach Notification Rule Audit Checklist
As Business Associates are required to notify Covered Entities of all security incidents (not just those that result in a breach of unsecured ePHI), Business Associates will need to use a different Breach Notification Rule audit checklist than a Covered Entity – who can use a HIPAA breach notification tool to determine whether a security incident is reportable or not. Nonetheless, both Breach Notification Rule audit checklists will share some common items – for example:
- How did the breach/security incident occur?
- How has the impact of the breach/security incident been mitigated?
- What should be done to prevent the breach/security incident happening again?
It is also the case that procedures should be in place and responsibilities assigned for notifying Covered Entities of a security incident or for Covered Entities notifying HHS´ Office for Civil Rights and impacted individuals of a breach of unsecured ePHI. As with all other areas of HIPAA compliance, the procedures, all breaches/security incidents, and their outcomes need to be documented and the documentation retained for a minimum of six years.
Advice for Developing and Completing HIPAA Audit Checklists
Integrating every element of HIPAA compliance into a single HIPAA audit checklist can be challenging and – due to the checklist´s comprehensiveness – potentially leave gaps which lead to compliance failures. There are two ways to overcome this challenge. Either divide the HIPAA audit checklist into smaller, more manageable units, or engage the services of a compliance professional to help you with both the development and the completion of the checklist.
One of the advantages of choosing the latter option is that compliance professionals have the experience to assess an existing checklist, determine how much help you need, and provide as much help as necessary to produce a comprehensive checklist. This approach has the benefit of preventing the scenario in which you are looking for threats that do not exists in standards that do not apply to your organization – ultimately saving you time and money.
What are the HIPAA Administrative Simplification Regulations?
The HIPAA Administrative Simplification Regulations are the “Administrative Data Standards and Other Requirements” that were developed as a result of the passage of HIPAA (Title 45, Subtitle A, Subchapter C of the Code of Federal Regulations).
The Regulations not only include the standards for the Administrative Requirements and the Privacy, Security, and Breach Notification Rules, but also the General Administrative Provisions, the General Security and Privacy Provisions, and the Enforcement Rule.
Could CMS issue a civil monetary penalty for noncompliance?
The Centers for Medicare and Medicaid Services (CMS) has the same authority to impose sanctions on noncompliant organizations as HHS´ Office for Civil Rights. Therefore, in theory, it could impose a fine of up to $1.919,173 on a Covered Entity or Business Associate who repeatedly failed to comply with the Administrative Requirements due to willful neglect.
Why are Business Associates required to comply with the Privacy Rule?
The applicability standard of the Privacy Rule (§164.104) was amended via the Final Omnibus Rule in 2013 to read “Where provided, the standards, requirements, and implementation specifications adopted under this part [the Privacy Rule] apply to a business associate.”
This means that a Business Associate may need to develop policies and procedures relating to permissible uses and disclosures and for managing access requests if an individual´s ePHI is maintained in a separate designated record set from that of the Covered Entity.
Does a Business Associate have to designate a Privacy Officer?
This depends on the nature of the Business Associate´s operations and the potential for interactions with the public and regulatory authorities. If there is likely to only be minimal interaction, the role of Privacy Officer could be designated to a Security Officer.
What is considered PHI under HIPAA?
This is possibly the most frequently asked question relating to HIPAA compliance because what is considered PHI under HIPAA is complicated – so complicated that we have dedicated a full-page article to answering this question.
Why is the ONC/OCR Security Risk Assessment Tool not suitable for all organizations?
According to the OCR´s website “the tool’s features make it useful in assisting small and medium-sized health care practices and business associates”. This implies that it is not suitable for health plans, health care clearinghouses and larger organizations.
Additionally, the tool assumes a certain level of knowledge and a that a number of measures have already been implemented to comply with Security Rule standards. If your organization is taking its first steps towards HIPAA compliance, you may find the tool too advanced for your needs.
How might an organization already have role-based access controls in place?
Many organizations use identity and access management services such as Microsoft AD, Okta Lifecycle Management, or Open LDAP (etc.) to control who in the organization has access to systems and databases. These services can often be used to comply with the Security Rule access requirements.