HIPAA Audit: Compliance for Security
The Department of Health and Human Services' (DHHS) Office of e-Health Standards and Services released
2 page document with the list of Sample - Interview and Document Request for HIPAA Security Onsite
Investigations and Compliance Audit Reviews.
To download PDF:
Risk Management Implementation Specification
This involves the employment of security measures which are sufficient enough to reduce risks and arrest vulnerabilities at a manageable and acceptable level.
Audit Controls Standard
This involves the implementation of both software and hardware among other procedural mechanisms necessary to analyze information systems or systems using electronic (PHI/e-PHI)
This comprises of standard periodical technical and non-technical reviews to assess document compliance to HIPAA Security rule and the organization’s security policy.
The organization will required to regularly, assess, make identifications, selections and implement necessary countermeasures on risk management standard to ensure security related costs are at an acceptable level. This process must be done regularly to ensure that the relevant security measures are put in place so that all risks are at a manageable and appropriate level.
Otherwise, it is highly recommended for an organization to go beyond HIPAA Security compliance and observe other security measures. On the other hand, an entity can have an external source evaluate its compliance requirements or can work jointly.
Most of the security rules will require covered entities to run an evaluation periodically on their security safeguards to ensure their compliance with the organization’s security policies and security rule requirements.
The Goal of HIPAA Audit and Evaluation for Compliance
The HIPAA Audit Objective will comprise of the following activities:
- Makes assessments on whether all vulnerabilities have been taken care of
- Make verifications on if all the compliance requirements are up to standard.
||HIPAA Security Rule Standard Implementation Specification
||164.308 (a) (1) (i)
||Security Management Process
||164.308 (a) (1) (ii) (B)
||164.308 (a) (8)
The main objective of risk management is to employ various security measures necessary to control and reduce risks to an appropriate and reasonable level.
NIST defines risk as the overall negative impact associated with it including its probability and the impact in the event it occurs. Most of the time, a risk is also the likelihood of different threat sources exposing the entity threats or risks and in the long run result to adverse repercussions to the running of the organization. Therefore, risk management is the process of assessing and identifying risks and taking action to ensure risks are at a manageable level.
Security professionals define risk management as the identification, selection and the implementation of controls, reports and countermeasures that can make sure the levels of risks are commensurate to their budgeted costs.
The main goal of Audit control is to analyze software, hardware and other mechanisms responsible for recording and examining activities from information systems that contain or use protected eHealth information.
Most organizations will be required to make relevant assessments and implement mechanisms that will record and analyze the system for any suspicious activities. The audit controls should not only trace you to the device but also to the user and such individuals should be held accountable. Otherwise, there are policies on steps to take, in the event of such discrepancies.
The audit control can be used on a network, software application, system and any other technical devices. It is normally up to the entity to determine how long the investigating organization should hold the audit information and it should be long enough to carry out the necessary investigation and incidents of inappropriate access.
On the other hand, the organization will determine who can access the audit log data in the systems, provide secure storage and offer protection to the system’s data especially on protected eHealth information. In addition, audit trails are normally evidence to legal proceedings hence they need to be handled with care to preserve their authenticity.
The main aim of this evaluation process is to periodically evaluate the technical and non-technical compliance standards of an entity as indicated under this regulation and more so, to verify the entity’s adherence to this rule in its response to some of the environment or operational changes that can affect its protected eHealth information.
This is a requirement for covered entities whereby they will have to periodically evaluate their security safeguards compliance to their security policy and Security rule requirements. Therefore, it is after assessing changes of an entity’s secure environment that an entity will be required to look into their need for a new evaluation. These evaluations can be done internally or using an external source on both technical and non technical security components.
The only way to ensure that your entity’s confidentiality, security and integrity are consistent with e-PHI compliance standards is ensuring you have observed audit checks for your entity.
HIPAA Audit Checklist released by DHHS' Office of e-Health Standards and Services
Sample - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Audit Reviews
- Personnel that may be interviewed :
President, CEO or Director
HIPAA Compliance Officer
Lead Systems Manager or Director
Systems Security Officer
Lead Network Engineer and/or individuals responsible for:
- administration of systems that store, transmit, or access Electronic Protected Health Information (EPHI)
- administration systems networks (wired and wireless)
- monitoring of systems that store, transmit, or access EPHI
- monitoring systems networks (if different from above)
- Computer Hardware Specialist
- Disaster Recovery Specialist or person in charge of data backup
- Facility Access Control Coordinator (physical security)
- Human Resources Representative
- Director of Training
- Incident Response Team Leader
- Others as identified…
- Documents and other information that may be requested for investigations/reviews
a. Policies and Procedures and other evidence that address the following:
- Prevention, detection, containment, and correction of security violations
- Employee background checks and confidentiality agreements
- Establishing user access for new and existing employees
- List of authentication methods used to identify users authorized to access EPHI
- List of individuals and contractors with access to EPHI to include copies of pertinent Business Associate agreements
- List of software used to manage and control access to the Internet
- Detecting, reporting, and responding to security incidents (if not in the security plan)
- Physical security
- Encryption and decryption of EPHI
- Mechanisms to ensure integrity of data during transmission - including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives)
- Monitoring systems use - authorized and unauthorized
- Use of wireless networks
- Granting, approving, and monitoring systems access (for example, by level, role, and job function)
- Sanctions for workforce members in violation of policies and procedures governing EPHI access or use
- Termination of systems access
- Session termination policies and procedures for inactive computer systems
- Policies and procedures for emergency access to electronic information systems
- Password management policies and procedures
- Secure workstation use (documentation of specific guidelines for each class of workstation (i.e., on site, laptop, and home system usage)
- Disposal of media and devices containing EPHI
b. Other Documents:
View HIPAA Security Policies and Procedures
- Entity-wide Security Plan
- Risk Analysis (most recent)
- Risk Management Plan (addressing risks identified in the Risk Analysis)
- Security violation monitoring reports
- Vulnerability scanning plans
- Results from most recent vulnerability scan
- Network penetration testing policy and procedure
- Results from most recent network penetration test
- List of all user accounts with access to systems that store, transmit, or access EPHI (for active and terminated employees)
- Configuration standards to include patch management for systems that store, transmit, or access EPHI (including workstations)
- Encryption or equivalent measures implemented in systems that store, transmit, or access EPHI
- Organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI
- Examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures (security awareness training)
- Policies and procedures governing the use of virus protection software
- Data backup procedures
- Disaster recovery plans
- Disaster recovery test plans and results
- Analysis of information systems, applications, and data groups according to their criticality and sensitivity
- Inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI
- List of all Primary Domain Controllers (PDC) and servers
- Inventory log recording the owner and movement media and devices that contain EPHI
- Let us help you in completing your HIPAA compliance with an audit.
Please contact us for more information at Bob@hipaatraining.net or call (515) 865-4591