Expert Assure Trust NOW Auditors

A HIPAA compliance audit is a thorough review process to ensure that an organization is following the regulations set by the Health Insurance Portability and Accountability Act (HIPAA).  A HIPAA audit is designed to protect the privacy and security of patients’ health information. A HIPAA audit is performed and required to ensure that a covered entity (such as a healthcare provider) and / or a business associate (such as a Software-as-a-Service (SaaS) company that processes protected health information (PHI)) is complying to the standards set by the HIPAA regulation to protect the privacy and security of PHI and electronic PHI (ePHI). 

This also includes, but is not limited to the following:

• Software developers creating applications that collect and share personally identifiable health data.
• Service providers whose clients create, receive, store, or transmit ePHI through their services.

These companies are considered business associates (BAs) under HIPAA and are required to adhere and comply with its administrative, technical, and physical safeguards (if applicable) to protect ePHI.

Below are the main components of a HIPAA compliance audit:

1. Policy and Procedure Review: Evaluating the organization’s written policies and procedures related to HIPAA compliance.
2. Risk Assessment: Identifying and analyzing potential risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
3. Training and Awareness: Ensuring that all employees are trained on HIPAA requirements and understand their roles in maintaining compliance.
4. Technical Safeguards: Assessing the technical measures in place to protect ePHI, such as encryption and access controls.
5. Physical Safeguards: Reviewing the physical measures to protect ePHI, like secure locations for servers and workstations (if applicable).
6. Administrative Safeguards: Checking the administrative actions, policies, and procedures to manage the selection, development, and maintenance of security measures. 
7. Interviews (fieldwork): Key personnel are interviewed to understand how HIPAA policies are implemented and maintained.

The company that is required to comply to a HIPAA audit should at a minimum prepare with the following key tasks:

1. Designate a HIPAA Security owner and/or Privacy Officer: Appoint individuals responsible for overseeing HIPAA compliance efforts.
2. Establish Audit Scope and Objectives: Define what will be audited, including policies, procedures, and technical safeguards.
3. Collect and Review Compliance Documentation: Gather all relevant documents that demonstrate compliance with the HIPAA regulations and requirements.
4. Interview Key Personnel: Speak with staff members to understand how HIPAA Policies are implemented and followed. Implement relevant HIPAA security awareness training.
5. Review Existing Security and Privacy Controls: Assess the effectiveness of current measures and controls in place to protect PHI and ePHI.
6. Perform Technical Assessments: Perform technical evaluations to identify vulnerabilities and ensure data protection measures are robust.

The key tasks above will help companies perform a self-assessment to identify any gaps or opportunities for improvement to meet the HIPAA regulatory requirements.