SlideShare a Scribd company logo

HIPAA Compliance Guide for Audits and Self-Audits

N
ntoscano50

The document discusses the second phase of the HHS HIPAA audit program which focuses on compliance with HIPAA's Privacy, Security, and Breach Notification Rules. It notes that OCR has published an updated audit protocol identifying around 180 areas that may be assessed. It recommends covered entities and business associates perform self-audits using the protocol as a guide, with an emphasis on policies/procedures, training, risk analysis, and documentation of decisions around addressable security standards. Failure to conduct a risk analysis or have comprehensive documentation has been identified as common compliance issues.

Education
1 of 4
Download to read offline
This Compliance Overview is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. HIPAA AUDIT PROGRAM • The second phase of the HIPAA audit program is underway. • Covered entities and business associates may be selected for a HIPAA audit. • OCR published a protocol that describes its standards for HIPAA audits. HIPAA SELF-AUDITS • To prepare for a possible audit, health plan sponsors and business associates should self-audit their compliance with the HIPAA rules. • OCR’s audit protocol can be used as a guide for self-audits of HIPAA compliance. • The SRA Tool can also be used to perform and document an entity’s security risk analysis. HIPAA Compliance Reviews – Audit Protocol The Department of Health and Human Services (HHS) has launched the second phase of its HIPAA audit program, which focuses on compliance with HIPAA’s Privacy, Security and Breach Notification Rules. HHS’ Office for Civil Rights (OCR) is responsible for conducting these audits. This second phase of the HIPAA audit program covers both covered entities and business associates. According to OCR, these HIPAA audits are primarily a compliance improvement activity. However, if an audit reveals a serious compliance issue, OCR may initiate a compliance review to investigate. In connection with this second phase of HIPAA audits, OCR released an updated audit protocol that identifies potential areas of audit inquiry. To prepare for a possible HIPAA audit, covered entities and business associates should review their compliance with HIPAA’s Rules and make any necessary changes. OCR’s audit protocol can be used as a guide for self-audits of HIPAA compliance. LINKS AND RESOURCES • OCR’s audit protocol for covered entities and business associates • HIPAA’s Security Risk Assessment Tool (SRA Tool) o Download the SRA tool here o SRA Tool User Guide o SRA User Videos Provided by SterlingRisk
2 This Compliance Overview is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2016 Zywave, Inc. All rights reserved. EM 4/16 Also, even if a health plan or business associate is not selected for a Phase 2 audit, it is still important to remain prepared for a HIPAA compliance review—OCR will likely continue its enforcement efforts after the Phase 2 audits are complete. AUDIT PROTOCOL OCR published an audit protocol to provide clarity on the HIPAA standards that auditors may assess during an audit. OCR first made its HIPAA audit protocol available in 2012 in connection with its pilot audit program. In 2016, OCR released an updated audit protocol, which includes changes made by the HIPAA Omnibus final rule from 2013. The audit protocol is organized around modules, representing separate elements of privacy, security and breach notification. The updated audit protocol identifies approximately 180 areas for potential audit inquiry. According to OCR, the areas that are assessed during an audit will vary based on the type of covered entity or business associate selected for review. The audit protocol identifies “key activities” (HIPAA standards) and provides information on the legal requirements for each standard (“established performance criteria”), as well as potential audit inquiries related to the HIPAA requirements. Also, although the audit protocol’s requirements depend on the specific HIPAA standard being assessed, there are some recurring themes that indicate what the auditors may be looking for. For example, many of the protocols direct auditors to ask whether policies or procedures exist for a given HIPAA standard, and whether these policies and procedures have been updated on a periodic basis. HIPAA SELF-AUDITS Covered entities and business associates should perform periodic self-assessments of their HIPAA compliance and can use the audit protocol as a guide during this process. If a covered entity or business associate discovers an area of noncompliance, it should take steps to remedy the problem. OCR’s audit protocol can be used as a guide for self-audits of HIPAA compliance.
3 This Compliance Overview is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2016 Zywave, Inc. All rights reserved. EM 4/16 PRIVACY RULE REQUIREMENTS The audit protocol includes 89 areas of potential audit inquiry under the HIPAA Privacy Rule. For example, the audit protocol includes compliance questions regarding the Privacy Rule’s: • Use and disclosure rules • Minimum necessary standard • Privacy notice requirement • Business associate contract requirement • Individual rights requirements SECURITY RULE REQUIREMENTS The audit protocol includes 72 potential areas of audit inquiry that address the HIPAA Security Rule’s requirements for administrative, technical and physical safeguards for ePHI. Under the Security Rule, Special rules for fully insured health plans How the HIPAA Privacy Rule impacts the sponsor of a fully insured plan depends on whether the plan sponsor has access to PHI for plan administration purposes. Sponsors of fully insured plans that do not have access to PHI are only subject to a few of the Privacy Rule’s requirements. Sponsors of fully insured plans that have access to PHI and sponsors of self-funded plans, however, have additional compliance obligations under the Privacy Rule. Based on the audit protocol’s recurring themes, a HIPAA self-audit should emphasize the following HIPAA standards:  Does the covered entity or business associate have the required HIPAA policies and procedures for privacy, security and breach notification in place?  Have there been periodic updates to these policies and procedures?  Has the covered entity or business associate trained its workforce on HIPAA compliance, including any policy and procedure updates?  Has the entity performed a risk analysis to assess the potential risk and vulnerabilities for its electronic PHI (ePHI)?  If an entity has decided not to implement an “addressable” security standard, does it have documentation supporting its decision? Also, to prepare for a potential audit, an organization should confirm that its HIPAA documents (including its policies and procedures) are comprehensive, well-organized and easy to comprehend.
4 This Compliance Overview is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2016 Zywave, Inc. All rights reserved. EM 4/16 each type of safeguard has certain standards and implementation specifications associated with it. In an effort to provide covered entities and business associates with some flexibility, the Security Rule provides two categories of implementation specifications—“required” and “addressable.” While addressable implementation specifications are not optional, organizations have more options in determining how they will comply with these requirements. The audit protocol also addresses whether the entity has performed a risk analysis to assess the potential risks and vulnerabilities to all of the ePHI that it creates, receives, maintains or transmits. Conducting a risk analysis is a crucial first step in an organization’s efforts to comply with the Security Rule. The risk analysis directs what reasonable steps a covered entity or business associate should take to protect the ePHI it creates, transmits, receives or maintains. Failing to conduct a timely and thorough risk assessment has routinely been identified by OCR as a common HIPAA compliance problem. HHS, through its Office of the National Coordinator for Health Information Technology (ONC), has developed an interactive Security Risk Assessment Tool (SRA Tool) to assist organizations in performing and documenting security risk assessments. The SRA Tool is a software application that can be used by a covered entity or business associate as a resource (among other tools and processes) to review its implementation of the HIPAA Security Rule. HHS has also provided a User Guide and tutorial video to help organizations begin using the SRA Tool. BREACH NOTIFICATION RULES The audit protocol addresses HIPAA’s breach notification requirements for unsecured PHI, and, in addition to other breach notification standards, instructs auditors to review covered entities’ policies and procedures regarding breach notification. For example, the protocol asks whether the covered entity has policies and procedures in place for determining whether an impermissible use or disclosure triggers a breach notification requirement. The HIPAA Omnibus final rule from 2013 changed some of the standards for determining whether a breach notification is required. As part of their HIPAA compliance review, covered entities should make sure that their breach notification policies have been updated for the final rule and that their workforce has been trained on the notification standards. Compliance Tip If a covered entity or business associate decides not to implement an addressable specification (or if it implements an alternative standard), the entity must document the reasons for its decisions, including why it determined that the addressable specification was not a reasonable and appropriate safeguard.

Recommended

Performing an ocr hipaa audit
Performing an ocr hipaa auditPerforming an ocr hipaa audit
Performing an ocr hipaa auditcomplianceonline123
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?Shahid Shah
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
2010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V12010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V1GuardEra Access Solutions, Inc.
 
Ensure Compliance: A 25-Point Inspection Plan for Interoperability Initiatives
Ensure Compliance: A 25-Point Inspection Plan for Interoperability InitiativesEnsure Compliance: A 25-Point Inspection Plan for Interoperability Initiatives
Ensure Compliance: A 25-Point Inspection Plan for Interoperability InitiativesCognizant
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
 
Experience guide to or implementation and compliance 2015
Experience guide to or implementation and compliance 2015Experience guide to or implementation and compliance 2015
Experience guide to or implementation and compliance 2015Edifecs Inc
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 

Recommended

Performing an ocr hipaa audit
Performing an ocr hipaa auditPerforming an ocr hipaa audit
Performing an ocr hipaa auditcomplianceonline123
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?Shahid Shah
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
2010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V12010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V1GuardEra Access Solutions, Inc.
 
Ensure Compliance: A 25-Point Inspection Plan for Interoperability Initiatives
Ensure Compliance: A 25-Point Inspection Plan for Interoperability InitiativesEnsure Compliance: A 25-Point Inspection Plan for Interoperability Initiatives
Ensure Compliance: A 25-Point Inspection Plan for Interoperability InitiativesCognizant
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
 
Experience guide to or implementation and compliance 2015
Experience guide to or implementation and compliance 2015Experience guide to or implementation and compliance 2015
Experience guide to or implementation and compliance 2015Edifecs Inc
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
Lawrbit Global Regulatory Intelligence
Lawrbit Global Regulatory IntelligenceLawrbit Global Regulatory Intelligence
Lawrbit Global Regulatory IntelligenceLawrbit Lextech India Private Limited
 
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...Polsinelli PC
 
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...Tracie Thompson
 
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Accounting_Whitepapers
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideWirehead Technology
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurancemindleaftechnologies
 
Hipaa hitech requirements
Hipaa hitech requirementsHipaa hitech requirements
Hipaa hitech requirementsDQS Inc.
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalajcob123
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Schellman & Company
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Health insurance portability and accountability act (hipaa)
Health insurance portability and accountability act (hipaa)Health insurance portability and accountability act (hipaa)
Health insurance portability and accountability act (hipaa)ZyLAB
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule updateO'Connor Davies CPAs
 
HIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCRHIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCRDavid Sweigert
 
Perspective: Image Reactions
Perspective: Image ReactionsPerspective: Image Reactions
Perspective: Image Reactionsdanielledearment
 
Compliance Bulletin - OSHA Final Rule on Electronic Reporting
Compliance Bulletin - OSHA Final Rule on Electronic ReportingCompliance Bulletin - OSHA Final Rule on Electronic Reporting
Compliance Bulletin - OSHA Final Rule on Electronic Reportingntoscano50
 

More Related Content

What's hot

HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...Polsinelli PC
 
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...Tracie Thompson
 
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Accounting_Whitepapers
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurancemindleaftechnologies
 
Hipaa hitech requirements
Hipaa hitech requirementsHipaa hitech requirements
Hipaa hitech requirementsDQS Inc.
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalajcob123
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Health insurance portability and accountability act (hipaa)
Health insurance portability and accountability act (hipaa)Health insurance portability and accountability act (hipaa)
Health insurance portability and accountability act (hipaa)ZyLAB
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCRHIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCRDavid Sweigert
 

What's hot (20)

Lawrbit Global Regulatory Intelligence
Lawrbit Global Regulatory IntelligenceLawrbit Global Regulatory Intelligence
Lawrbit Global Regulatory Intelligence
 
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
HIPAA Audits Are Here to Stay – Key Preparation Strategies for Business Assoc...
 
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
 
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare Guide
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
 
Hipaa hitech requirements
Hipaa hitech requirementsHipaa hitech requirements
Hipaa hitech requirements
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-final
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
Health insurance portability and accountability act (hipaa)
Health insurance portability and accountability act (hipaa)Health insurance portability and accountability act (hipaa)
Health insurance portability and accountability act (hipaa)
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
HIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCRHIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCR
 

Viewers also liked

Perspective: Image Reactions
Perspective: Image ReactionsPerspective: Image Reactions
Perspective: Image Reactionsdanielledearment
 
Compliance Bulletin - OSHA Final Rule on Electronic Reporting
Compliance Bulletin - OSHA Final Rule on Electronic ReportingCompliance Bulletin - OSHA Final Rule on Electronic Reporting
Compliance Bulletin - OSHA Final Rule on Electronic Reportingntoscano50
 
Are You Prepared? - Hurricanes
Are You Prepared? - HurricanesAre You Prepared? - Hurricanes
Are You Prepared? - Hurricanesntoscano50
 
Compliance Overview - Americans with Disabilities Act (ADA)
Compliance Overview - Americans with Disabilities Act (ADA)Compliance Overview - Americans with Disabilities Act (ADA)
Compliance Overview - Americans with Disabilities Act (ADA)ntoscano50
 
ACA Overview - 2017 Compliance Checklist
ACA Overview - 2017 Compliance ChecklistACA Overview - 2017 Compliance Checklist
ACA Overview - 2017 Compliance Checklistntoscano50
 
Compliance Overview - OSHA’s General Duty Clause
Compliance Overview - OSHA’s General Duty ClauseCompliance Overview - OSHA’s General Duty Clause
Compliance Overview - OSHA’s General Duty Clausentoscano50
 
Perspective Image Reactions
Perspective Image ReactionsPerspective Image Reactions
Perspective Image Reactionsdanielledearment
 

Viewers also liked (11)

Perspective: Image Reactions
Perspective: Image ReactionsPerspective: Image Reactions
Perspective: Image Reactions
 
Compliance Bulletin - OSHA Final Rule on Electronic Reporting
Compliance Bulletin - OSHA Final Rule on Electronic ReportingCompliance Bulletin - OSHA Final Rule on Electronic Reporting
Compliance Bulletin - OSHA Final Rule on Electronic Reporting
 
Are You Prepared? - Hurricanes
Are You Prepared? - HurricanesAre You Prepared? - Hurricanes
Are You Prepared? - Hurricanes
 
Compliance Overview - Americans with Disabilities Act (ADA)
Compliance Overview - Americans with Disabilities Act (ADA)Compliance Overview - Americans with Disabilities Act (ADA)
Compliance Overview - Americans with Disabilities Act (ADA)
 
Image reaction activity
Image reaction activityImage reaction activity
Image reaction activity
 
DK
DKDK
DK
 
Keep smiling photos
Keep smiling photosKeep smiling photos
Keep smiling photos
 
Gabriel Munteanu CV
Gabriel Munteanu CVGabriel Munteanu CV
Gabriel Munteanu CV
 
ACA Overview - 2017 Compliance Checklist
ACA Overview - 2017 Compliance ChecklistACA Overview - 2017 Compliance Checklist
ACA Overview - 2017 Compliance Checklist
 
Compliance Overview - OSHA’s General Duty Clause
Compliance Overview - OSHA’s General Duty ClauseCompliance Overview - OSHA’s General Duty Clause
Compliance Overview - OSHA’s General Duty Clause
 
Perspective Image Reactions
Perspective Image ReactionsPerspective Image Reactions
Perspective Image Reactions
 

Similar to HIPAA Compliance Guide for Audits and Self-Audits

How to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 auditsHow to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 auditsCompliancy Group
 
HIPAA | HIPAA Training
HIPAA | HIPAA TrainingHIPAA | HIPAA Training
HIPAA | HIPAA Traininghimalya sharma
 
HIPAA | HIPAA Training
HIPAA | HIPAA TrainingHIPAA | HIPAA Training
HIPAA | HIPAA Traininghimalya sharma
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Compliancy Group
 
Training Your Business Associate Workforce: Understanding Obligations and Ri...
Training Your Business Associate Workforce: Understanding Obligations and Ri...Training Your Business Associate Workforce: Understanding Obligations and Ri...
Training Your Business Associate Workforce: Understanding Obligations and Ri...NJVC, LLC
 
Hitpc.20090716.Certification Workgroup
Hitpc.20090716.Certification WorkgroupHitpc.20090716.Certification Workgroup
Hitpc.20090716.Certification Workgroupsdaviss
 
EHR Certification for Medical Practices
EHR Certification for Medical PracticesEHR Certification for Medical Practices
EHR Certification for Medical PracticesMichael Duffy
 
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperDimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperJason Cumberland
 
HIPAA Compliance Testing In Software Applications.pdf
HIPAA Compliance Testing In Software Applications.pdfHIPAA Compliance Testing In Software Applications.pdf
HIPAA Compliance Testing In Software Applications.pdfZoe Gilbert
 
2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and proceduresCharles McNeil
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
ComplianceGuidelinesUploaded6.14PDF
ComplianceGuidelinesUploaded6.14PDFComplianceGuidelinesUploaded6.14PDF
ComplianceGuidelinesUploaded6.14PDFPaulette Wunsch
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sIatric Systems
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcementsupportc2go
 
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactFirehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactArmor
 

Similar to HIPAA Compliance Guide for Audits and Self-Audits (20)

HIPAA Security Risk Assessment
HIPAA Security Risk Assessment HIPAA Security Risk Assessment
HIPAA Security Risk Assessment
 
social audit
social auditsocial audit
social audit
 
How to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 auditsHow to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 audits
 
HIPAA | HIPAA Training
HIPAA | HIPAA TrainingHIPAA | HIPAA Training
HIPAA | HIPAA Training
 
HIPAA | HIPAA Training
HIPAA | HIPAA TrainingHIPAA | HIPAA Training
HIPAA | HIPAA Training
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
 
Training Your Business Associate Workforce: Understanding Obligations and Ri...
Training Your Business Associate Workforce: Understanding Obligations and Ri...Training Your Business Associate Workforce: Understanding Obligations and Ri...
Training Your Business Associate Workforce: Understanding Obligations and Ri...
 
Hitpc.20090716.Certification Workgroup
Hitpc.20090716.Certification WorkgroupHitpc.20090716.Certification Workgroup
Hitpc.20090716.Certification Workgroup
 
EHR Certification for Medical Practices
EHR Certification for Medical PracticesEHR Certification for Medical Practices
EHR Certification for Medical Practices
 
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperDimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paper
 
Security Risk Assessment
Security Risk AssessmentSecurity Risk Assessment
Security Risk Assessment
 
Safety audit
Safety audit Safety audit
Safety audit
 
HIPAA Compliance Testing In Software Applications.pdf
HIPAA Compliance Testing In Software Applications.pdfHIPAA Compliance Testing In Software Applications.pdf
HIPAA Compliance Testing In Software Applications.pdf
 
2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
ComplianceGuidelinesUploaded6.14PDF
ComplianceGuidelinesUploaded6.14PDFComplianceGuidelinesUploaded6.14PDF
ComplianceGuidelinesUploaded6.14PDF
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
 
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactFirehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
 
Ohsas in brief
Ohsas in briefOhsas in brief
Ohsas in brief
 

Recently uploaded

CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 

Recently uploaded (20)

CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 

HIPAA Compliance Guide for Audits and Self-Audits

  • 1. This Compliance Overview is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. HIPAA AUDIT PROGRAM • The second phase of the HIPAA audit program is underway. • Covered entities and business associates may be selected for a HIPAA audit. • OCR published a protocol that describes its standards for HIPAA audits. HIPAA SELF-AUDITS • To prepare for a possible audit, health plan sponsors and business associates should self-audit their compliance with the HIPAA rules. • OCR’s audit protocol can be used as a guide for self-audits of HIPAA compliance. • The SRA Tool can also be used to perform and document an entity’s security risk analysis. HIPAA Compliance Reviews – Audit Protocol The Department of Health and Human Services (HHS) has launched the second phase of its HIPAA audit program, which focuses on compliance with HIPAA’s Privacy, Security and Breach Notification Rules. HHS’ Office for Civil Rights (OCR) is responsible for conducting these audits. This second phase of the HIPAA audit program covers both covered entities and business associates. According to OCR, these HIPAA audits are primarily a compliance improvement activity. However, if an audit reveals a serious compliance issue, OCR may initiate a compliance review to investigate. In connection with this second phase of HIPAA audits, OCR released an updated audit protocol that identifies potential areas of audit inquiry. To prepare for a possible HIPAA audit, covered entities and business associates should review their compliance with HIPAA’s Rules and make any necessary changes. OCR’s audit protocol can be used as a guide for self-audits of HIPAA compliance. LINKS AND RESOURCES • OCR’s audit protocol for covered entities and business associates • HIPAA’s Security Risk Assessment Tool (SRA Tool) o Download the SRA tool here o SRA Tool User Guide o SRA User Videos Provided by SterlingRisk
  • 2. 2 This Compliance Overview is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2016 Zywave, Inc. All rights reserved. EM 4/16 Also, even if a health plan or business associate is not selected for a Phase 2 audit, it is still important to remain prepared for a HIPAA compliance review—OCR will likely continue its enforcement efforts after the Phase 2 audits are complete. AUDIT PROTOCOL OCR published an audit protocol to provide clarity on the HIPAA standards that auditors may assess during an audit. OCR first made its HIPAA audit protocol available in 2012 in connection with its pilot audit program. In 2016, OCR released an updated audit protocol, which includes changes made by the HIPAA Omnibus final rule from 2013. The audit protocol is organized around modules, representing separate elements of privacy, security and breach notification. The updated audit protocol identifies approximately 180 areas for potential audit inquiry. According to OCR, the areas that are assessed during an audit will vary based on the type of covered entity or business associate selected for review. The audit protocol identifies “key activities” (HIPAA standards) and provides information on the legal requirements for each standard (“established performance criteria”), as well as potential audit inquiries related to the HIPAA requirements. Also, although the audit protocol’s requirements depend on the specific HIPAA standard being assessed, there are some recurring themes that indicate what the auditors may be looking for. For example, many of the protocols direct auditors to ask whether policies or procedures exist for a given HIPAA standard, and whether these policies and procedures have been updated on a periodic basis. HIPAA SELF-AUDITS Covered entities and business associates should perform periodic self-assessments of their HIPAA compliance and can use the audit protocol as a guide during this process. If a covered entity or business associate discovers an area of noncompliance, it should take steps to remedy the problem. OCR’s audit protocol can be used as a guide for self-audits of HIPAA compliance.
  • 3. 3 This Compliance Overview is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2016 Zywave, Inc. All rights reserved. EM 4/16 PRIVACY RULE REQUIREMENTS The audit protocol includes 89 areas of potential audit inquiry under the HIPAA Privacy Rule. For example, the audit protocol includes compliance questions regarding the Privacy Rule’s: • Use and disclosure rules • Minimum necessary standard • Privacy notice requirement • Business associate contract requirement • Individual rights requirements SECURITY RULE REQUIREMENTS The audit protocol includes 72 potential areas of audit inquiry that address the HIPAA Security Rule’s requirements for administrative, technical and physical safeguards for ePHI. Under the Security Rule, Special rules for fully insured health plans How the HIPAA Privacy Rule impacts the sponsor of a fully insured plan depends on whether the plan sponsor has access to PHI for plan administration purposes. Sponsors of fully insured plans that do not have access to PHI are only subject to a few of the Privacy Rule’s requirements. Sponsors of fully insured plans that have access to PHI and sponsors of self-funded plans, however, have additional compliance obligations under the Privacy Rule. Based on the audit protocol’s recurring themes, a HIPAA self-audit should emphasize the following HIPAA standards:  Does the covered entity or business associate have the required HIPAA policies and procedures for privacy, security and breach notification in place?  Have there been periodic updates to these policies and procedures?  Has the covered entity or business associate trained its workforce on HIPAA compliance, including any policy and procedure updates?  Has the entity performed a risk analysis to assess the potential risk and vulnerabilities for its electronic PHI (ePHI)?  If an entity has decided not to implement an “addressable” security standard, does it have documentation supporting its decision? Also, to prepare for a potential audit, an organization should confirm that its HIPAA documents (including its policies and procedures) are comprehensive, well-organized and easy to comprehend.
  • 4. 4 This Compliance Overview is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2016 Zywave, Inc. All rights reserved. EM 4/16 each type of safeguard has certain standards and implementation specifications associated with it. In an effort to provide covered entities and business associates with some flexibility, the Security Rule provides two categories of implementation specifications—“required” and “addressable.” While addressable implementation specifications are not optional, organizations have more options in determining how they will comply with these requirements. The audit protocol also addresses whether the entity has performed a risk analysis to assess the potential risks and vulnerabilities to all of the ePHI that it creates, receives, maintains or transmits. Conducting a risk analysis is a crucial first step in an organization’s efforts to comply with the Security Rule. The risk analysis directs what reasonable steps a covered entity or business associate should take to protect the ePHI it creates, transmits, receives or maintains. Failing to conduct a timely and thorough risk assessment has routinely been identified by OCR as a common HIPAA compliance problem. HHS, through its Office of the National Coordinator for Health Information Technology (ONC), has developed an interactive Security Risk Assessment Tool (SRA Tool) to assist organizations in performing and documenting security risk assessments. The SRA Tool is a software application that can be used by a covered entity or business associate as a resource (among other tools and processes) to review its implementation of the HIPAA Security Rule. HHS has also provided a User Guide and tutorial video to help organizations begin using the SRA Tool. BREACH NOTIFICATION RULES The audit protocol addresses HIPAA’s breach notification requirements for unsecured PHI, and, in addition to other breach notification standards, instructs auditors to review covered entities’ policies and procedures regarding breach notification. For example, the protocol asks whether the covered entity has policies and procedures in place for determining whether an impermissible use or disclosure triggers a breach notification requirement. The HIPAA Omnibus final rule from 2013 changed some of the standards for determining whether a breach notification is required. As part of their HIPAA compliance review, covered entities should make sure that their breach notification policies have been updated for the final rule and that their workforce has been trained on the notification standards. Compliance Tip If a covered entity or business associate decides not to implement an addressable specification (or if it implements an alternative standard), the entity must document the reasons for its decisions, including why it determined that the addressable specification was not a reasonable and appropriate safeguard.