The Department of Health and Human Services' (DHHS) Office of e-Health Standards and Services released
2-page document with the list of Sample - Interview and Document Request for HIPAA Security Onsite
Investigations and Compliance Audit Reviews.
The HIPAA Security Rule establishes very clearly the requirements for the Risk Management implementation
specification, the Audit Controls standard, and the Evaluation standard:
This involves the employment of security measures which are sufficient enough to reduce risks and arrest vulnerabilities at a manageable and acceptable level.
This involves the implementation of both software and hardware among other procedural mechanisms necessary to analyze information systems or systems using electronic (PHI/e-PHI)
This comprises of standard periodical technical and non-technical reviews to assess document compliance to HIPAA Security rule and the organization’s security policy.
The organization will be required to regularly, assess, make identifications, selections and implement necessary countermeasures on risk management standard to ensure security related costs are at an acceptable level. This process must be done regularly to ensure that the relevant security measures are put in place so that all risks are at a manageable and appropriate level.
Otherwise, it is highly recommended for an organization to go beyond HIPAA Security compliance and observe other security measures. On the other hand, an entity can have an external source evaluate its compliance requirements or can work jointly.
Most of the security rules will require covered entities to run an evaluation periodically on their security safeguards to ensure their compliance with the organization’s security policies and security rule requirements.
The HIPAA Audit Objective will comprise of the following activities:
|Item||HIPAA Citation||HIPAA Security Rule Standard Implementation Specification||Implementation|
|164.308 (a) (1) (i)||Security Management Process|
|164.308 (a) (1) (ii) (B)||Risk Management||Required|
|164.308 (a) (8)||Evaluation||Required|
|164.312 (b)||Audit Controls||Required|
The main objective of risk management is to employ various security measures necessary to control and reduce risks to an appropriate and reasonable level.
NIST defines risk as the overall negative impact associated with it including its probability and the impact in the event it occurs. Most of the time, a risk is also the likelihood of different threat sources exposing the entity threats or risks and in the long run result to adverse repercussions to the running of the organization. Therefore, risk management is the process of assessing and identifying risks and taking action to ensure risks are at a manageable level.
Security professionals define risk management as the identification, selection and the implementation of controls, reports, and countermeasures that can make sure the levels of risks are commensurate with their budgeted costs.
The main goal of Audit control is to analyze software, hardware and other mechanisms responsible for recording and examining activities from information systems that contain or use protected eHealth information.
Most organizations will be required to make relevant assessments and implement mechanisms that will record and analyze the system for any suspicious activities. The audit controls should not only trace you to the device but also to the user and such individuals should be held accountable. Otherwise, there are policies on steps to take, in the event of such discrepancies.
The audit control can be used for a network, software application, system and any other technical devices. It is normally up to the entity to determine how long the investigating organization should hold the audit information and it should be long enough to carry out the necessary investigation and incidents of inappropriate access.
On the other hand, the organization will determine who can access the audit log data in the systems, provide secure storage and offer protection to the system’s data, especially on protected eHealth information. In addition, audit trails are normally evidence to legal proceedings hence they need to be handled with care to preserve their authenticity.
The main aim of this evaluation process is to periodically evaluate the technical and non-technical compliance standards of an entity as indicated under this regulation and more so, to verify the entity’s adherence to this rule in its response to some of the environment or operational changes that can affect its protected eHealth information.
This is a requirement for covered entities whereby they will have to periodically evaluate their security safeguards compliance to their security policy and Security rule requirements. Therefore, it is after assessing changes of an entity’s secure environment that an entity will be required to look into their need for a new evaluation. These evaluations can be done internally or using an external source for both technical and nontechnical security components.
The only way to ensure that your entity’s confidentiality, security, and integrity are consistent with e-PHI compliance standards is ensuring you have observed audit checks for your entity.
Sample - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Audit Reviews
President, CEO or Director
HIPAA Compliance Officer
Lead Systems Manager or Director
Systems Security Officer
Lead Network Engineer and/or individuals responsible for:
a. Policies and Procedures and other evidence that address the following:
b. Other Documents:
The Office for Civil Rights has published the audits protocols for Privacy and Security. For Covered Entities and now Business Associates alike, there is no longer any reason to delay establishing full compliance. The recently issued Omnibus Rule makes clear that enforcement of HIPAA compliance standards has arrived and will be vigorously pursued. Penalties and fines will be forthcoming for those that put off establishing compliant operations and the now published Privacy and Security Audit Protocols make equally clear what each entity can expect.
We have taken these protocols and molded them into our collaborative, consultative process. This ensures that we obtain all the required information but in a manner that is neither painful nor adversarial. Our goal is to gain the facts and insight through which to tailor changes to your work processes to bring them smoothly into compliant performance. The result is constructive changes and adjustments where and as needed with minimal disruption.
OCR does not need to understand your environment: they simply need to confirm that you are doing all you are required to do, and fine you if you aren’t. They have no interest in your operations beyond this determination and result. Other audit firms are likewise driven. Neither are concerned with the burden this can create, or whether any efficiencies can be cogenerated along with achieving compliance to offset it. This is precisely where we are different from all the rest. We do care.
We understand the escalating costs you face, the mounting bureaucracy of regulations and paperwork, the increased drive to automate and the disruptive change that can cause. Most firms grasp this because they have no direct experience themselves. We know the challenges you face because we have been there ourselves. That is why we work with and for you to achieve these goals: get you compliant and set it up to stay that way by building it into your processes.
Our techniques are the industry-standard, time-proven methods used by all firms:
We interview your in-house experts to determine their knowledge, awareness, and engagement with the importance of these requirements to gain a sense of the environment. We share with them our knowledge of the regulations to enhance their knowledge.
We examine your policy and guidance documentation to ensure that the regulatory requirements and properly embodied in them so that you have established the correct framework for performance, internal enforcement, and corrective action when needed.
We observe your staff at work as part of our gaining familiarity with your environment and to ensure that what we found in your documentation we actually find being practiced by your workforce.
We substantively test various parts of your automated systems to ensure that the stated specifications to support privacy and achieve the requirements of the Security Rule are in place and functioning correctly.
Our process verifies that all the requirements are being met regularly and reliably so that your expectations are being met and so that you can be confident in knowing rather than trusting that things are working properly.
The process is the same for both Covered Entities and Business Associates. One standard for all appropriate to each operational context means the Covered Entity can have the needed assurance that their Business Associates are meeting the requirements just as they are, thus have greater peace of mind and greater risk control at all levels.
Please contact us for more information at Bob@hipaatraining.net or call (515) 865-4591