HIPAA Audit Checklist

An HIPAA audit checklist is a helpful resource for healthcare organizations and other HIPAA covered entities. It aims to determine existing risks to the integrity of electronic protected health information (ePHI). The changes to the Health Insurance Portability and Accountability Act (HIPAA) introduced on March 2013 were a reaction to the growing number of ePHI breaches that the U.S. Department of Health and Human Services´ Office for Civil Rights (OCR) had received. The elevated number of data breaches was because of the many entities have been using personal mobile gadgets for communicating ePHI.

In addition, OCR launched an audit protocol. It was not actually a “required” nor an “addressable” specification, but in view of the new OCR compliance evaluations, it is better to be ready for HIPAA audits using the HIPAA audit checklist. OCR planned to survey 1,200 HIPAA-covered entites last February 2014. 800 healthcare organizations and 400 business associates were first selected to collect information regarding patient visits, how ePHI is shared, income and business locations so as to evaluate the “size, complexity and suitability of a respondent for an audit.

Being chosen to participate in the survey doesn’t automatically mean that a covered entity should prepare for a HIPAA audit. Nevertheless, it is best for all covered entities to understand the audit protocol. In the past compliance assessments, OCR found out the majority of the evaluated covered entities failed to satisfy the requirements of privacy, security and breach notification. Apparently, this was because covered entities were “not aware of the requirements” – something which a HIPAA audit checklist could address.

There is a low probability that an entity will be chosen for the OCR survey and should get ready for a HIPAA audit. There are over 700,000 healthcare providers and about 2-3 million Business Associates that may be chosen for a compliance evaluation. Nevertheless, it is every covered entity´s responsibility to safeguard the integrity of ePHI, and the best means to achieve that is by using a secure messaging solution.

Why Use Secure Messaging Solutions?

Secure messaging solutions were developed because of the BYOD policies and the fact that more mobile gadgets are being used at work.  A private communications network is necessary to allow authorized employees and Business Associates to access encrypted ePHI and correspond with other authorized users by means of secure messaging applications.

The apps are downloadable to desktop computers and personal mobile devices and will work on almost any operating-system. A cloud-based platform monitors the communication and access to ePHI. The platform has safety features that prevent the transmission of ePHI beyond the network of the healthcare organizations. There are administrative controls  to prevent access to ePHI by unauthorized persons when a computer or mobile device is unattended, and the system works to set “message lifespans” on all messages.

The platform likewise monitors activities on the network to make sure adherence to the secure messaging policies, and it generates audit reports that help administrators to assess risks. Secure messaging solutions can assist covered entities in other ways including:

  • Vendors that use secure messaging solutions possess access controls and can restrict physical access to their secure servers by unauthorized persons.
  • Secure messaging solutions employ a mix of SSL protocols to make distinctively encrypted channels for communicating ePHI.
  • The audit reports make sure that risk evaluations are performed on a regular basis and that there is appropriate documentation of computing resources.
  • Secure messaging solutions have systems in place to authenticate users’ identities and to avert copying of ePHI and pasting or saving to an external hard drive.
  • Most secure messaging solutions are equipped with Business Continuity Plans and Disaster Recovery Procedures for restoring data depending on the covered entity´s recovery time objective.

How Else to Prepare for a HIPAA Audit

A secure messaging solution provides the mechanisms so that covered entities can conform to the physical and technical requirements of the HIPAA Security Rule. Healthcare providers and Business Associates need to create policies to instruct employees on the best practices to follow to be in compliance with the HIPAA Security Rule administrative safeguards.

To get ready for a HIPAA audit, healthcare providers and Business Associates should also have their own risk management evaluation, security and training plans and document data management. Awareness of what comprises a breach of ePHI and how to submit a breach report to the OCR is also necessary.

An ePHI breach involves an impermissible use or disclosure of ePHI, and is assumed to be a breach except if the healthcare provider or business associate could show there is a minimal likelihood that the ePHI has been exposed as in the case when ePHI was encrypted to a very high standard. Complete information on what comprises a ePHI breach and the proper way to report it is available on the U.S. Department of Health and Human Services´ website.

The Advantages of Complying with the HIPAA Audit Protocol

Preparing for a HIPAA audit will allows healthcare providers and Business Associates to point out any risks to ePHI integrity and minimize the risk of penalties and probable civil legal action in case a breach of ePHI happens. When choosing a secure messaging solution to take out the risks, there are a number of important benefits. Functions like delivery notifications and ready receipts or invoices minimize the time that medical professionals would need to spend playing phone tag. This allows them to improve workflows and set aside their resources more productively in many cases. A healthcare professional can use a HIPAA-compliant secure messaging app to:

  • Speed up patient admissions.
  • Handle emergency room hand-offs and patient discharges.
  • Send or receive x-rays, wound images and other lab or test results.
  • Work on a patient´s treatment plan with colleagues.
  • Address the concern of patients and request physician consultation.
  • Verify scripts and clear up any queries on prescription.

Healthcare professionals based outside the hospital environment – or those who offer telemedicine services – could safely send ePHI “on the go” using any mobile gadget with secure messaging to save time, boost efficiency and improve the quality of patient healthcare.

Gather Your HIPAA Audit Checklist Without Delay

The following round of OCR compliance evaluations will give the OCR with a chance to look at the various mechanisms being employed to comply with the HIPAA. The plan likewise helps with identifying best practices and discovering if there are any new risks and vulnerabilities. A HIPAA audit checklist is the perfect tool to spot any risks or vulnerabilities within your healthcare institution or associated business. It is for your own good to gather a HIPAA audit checklist and carry out an audit to protect the integrity of ePHI. You never know if the OCR will be visiting you!


HIPAA Audit Update – July 2016

The Department of Health and Human Services’ Office for Civil Rights (OCR) has already chosen 167 covered entities for a HIPAA compliance audit. The covered entities chosen for a compliance audit were notified by email.