On Thursday May 26th, Janice Snyder, Partner and Director of Assurance Services, David Hammarberg, Partner and leader of the firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology practices along with Lynnanne Bocchi, Manager hosted an introductory webinar on HIPAA Compliance Audits and discussed why these audits could be a vital resource for organizations to ensure the security of their information.
The Health Insurance Portability and Accountability Act (HIPAA) has set standards for sensitive patient data protection and is enforced by the Office for Civil Rights (OCR). These standards are set in place for covered entities, which are organizations who provide treatment, payment, and operations in healthcare such as dental offices, hospitals, and health and welfare entities and also business associates, which are organizations who have access to patient information such as medical billing companies, law offices and accounting firms. A HIPAA Compliance Audit is a third-party compliance audit and is designed to test the operating and effectiveness of a covered entity or business associate’s controls and safeguards set in place to protect Personal Health Information (PHI) they have access to.
The OCR does not require a covered entity or business associate to have a HIPAA compliance audit completed, however if the OCR finds noncompliance with HIPAA standards during their audit, the covered entity or business associate could be liable to pay a large fine. In an era when hackers and phishing scammers are becoming increasingly sophisticated, healthcare data is becoming more valuable because it often contains all the individual’s personally identifiable information, as opposed to a single piece of information that may be found in a financial breach. A HIPAA compliance audit is a great resource to give an organization “peace of mind” in knowing proper safeguards are set in place to protect this sensitive patient data.
Once a covered entity or business associate determines that a HIPAA Compliance audit should be completed, they should select a HIPAA compliance auditor. Importantly, organizations should seek a firm with a successful track record of serving healthcare entities and which can also combine that experience with demonstrated strength in providing internal controls/security services. Once an auditor is selected, they will complete a HIPAA preassessment which allows the auditor to map and detect gaps between the existing processes and controls, in comparison to the established HIPAA standards. The preassessment and walkthrough of these controls will take approximately three to six months to complete. The auditor will provide the covered entity or business associate with any recommendations they have for changes to the processes set in place.
Once the preassessment is complete, the HIPAA compliance audit period will be selected, which must be six months past the preassessment date, to ensure time for any recommendations or changes to be put into action. During the audit, the auditor will test the operational effectiveness of the controls, then produce an audit report with their opinion of the processes in comparison to the HIPAA requirements. Even though the report does not get filed with the office of Health and Human Services, it is utilized at the discretion of the organization and could be used as a resource during a government audit. Having a HIPAA compliance audit completed could help ensure the covered entity or business associate will not receive a status of noncompliance, coupled with a large fine, from the Office of Civil Rights.
For more information regarding HIPAA compliance audits or to explore how McKonly & Asbury’s multidisciplinary approach to HIPAA compliance audit can bring additional insight and value, visit our HIPAA services page. McKonly & Asbury is experienced in assisting clients in identifying and implementing the controls needed to pass a HIPAA compliance audit. Please contact us if you have questions about the process or are ready to move forward with a HIPAA assessment.