The Benefits of HIPAA Assessments for Healthcare Organizations
If you’ve ever owned a home in a neighborhood that has a homeowners association, you likely know that you have to pay those fees to avoid a lien being placed on your property, which could complicate your life in annoying ways. But on the flip side, paying those fees should mean you also reap the benefits like landscaping, community pool management, security, or maintenance.
If you squint, HIPAA assessments are a bit like those HOA fees. Companies both directly and indirectly connected to healthcare must navigate compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and annual assessments are a requirement.
HIPAA compliance assessments are designed to provide healthcare organizations with an idea of how they might fare during a potential HIPAA audit by the Health and Human Services (HHS) Office of Civil Rights (OCR). And while the stipulations on whether this should be an internal or an independently conducted assessment are murky, there are a few more advantages you can reap—beyond just maintaining compliance with the rules—by assessing systems, policies, and procedures in the same way the OCR would if they were auditing you.
Though we’re HIPAA assessors ourselves, we’re going to talk you through the benefits of choosing an external HIPAA assessor and how to maximize the rewards from completing your annual HIPAA assessment.
7 Benefits of HIPAA Compliance Assessments for Healthcare Organizations
When we say HIPAA compliance assessment, these are reviews of how well you’re complying with all standards and implementation specifications for applicable parts of the HIPAA Security, Privacy, and Breach Notification Rules. These reviews can be performed either internally or through an external assessor:
- Internal: The employee performing the assessment should be independent of the processes being reviewed, must have sufficient knowledge of the standard, and should include evidence supporting their conclusions.
- External: An external assessor performing the assessment would be confirmed as independent from the process being reviewed, have sufficient knowledge of the standard, and use evidence to support their conclusions as captured in a formalized report that can be shared.
Regardless of which way you choose, annual robust HIPAA assessments can benefit your organization in several ways.
1. Better Preparedness for an OCR HIPAA Audit
HIPAA compliance audits are an organization’s way to protect itself from a breach to mitigate any internal or external risks or gaps that could expose it to non-compliance—they’ll help you identify errors early and give you enough time to correct them before an OCR audit. Fail one of those, and you might be looking at some hefty penalties, including:
Consequences for Non-Compliance with HIPAA
- Fines and civil monetary penalties
- Ongoing security exposure
- OCR potential lawsuits
- Reputational harm from negative publicity
- Resolution agreements that force you to implement and maintain controls
The good news is that random audits are rare, though the OCR does sometimes conduct arbitrary audits of covered entities and business associates. But it’s much more likely that one will be triggered by a complaint or a disclosure of a breach.
When you’ve been selected for an audit, expect to receive an email notification from the OCR. You must follow their instructions and respond within the timeframe they give you with thorough documentation and evidence that proves your HIPAA compliance efforts.
Performing a HIPAA compliance assessment can help your organization be prepared to pass an audit should one be triggered for whatever reason. Moreover, because the HIPAA Safe Harbor Law—introduced in early 2021—that now allows the OCR flexibility when imposing fines related to a breach if the organization has implemented a recognized security framework, a HIPAA assessment might also help reduce those fines should your violations incur them.
2. Optimized Compliance and Security
Aside from being primed if the OCR comes calling, there are more incentives for regularly investing in and performing thorough audits—starting with the boon you’ll get for your security.
It can be tempting to forgo anything truly comprehensive, because—unlike certain other cybersecurity regulations—HIPAA does not require formal certification, and typically, any OCR HIPAA audit coincides with an investigation of non-compliance. That said, it’ll help ensure your long-term compliance and your information security to invest in broader self-auditing practices.
As per one of the Administrative Safeguards of the Security Rule, healthcare organizations must conduct a HIPAA risk assessment annually but that requirement only mandates you to identify risks and vulnerabilities that could impact the confidentiality, integrity, and availability of electronic protected health information PHI (ePHI).
While it’s important to shore up your efforts in this area—as it’s been documented as a common pitfall in HIPAA compliance—you should also expand your risk assessments to include all elements of HIPAA compliance, including:
- Whether you comply with the Privacy Rule and its permitted uses and disclosures of PHI.
- If you truly satisfy the Security Rule’s risk analysis and safeguard requirements.
- Your readiness for Breach Notification Rule compliance if a data breach does occur.
While it would require more effort—and more resources, if you bring in an external assessor—conducting a more inclusive HIPAA assessment will help you identify potential vulnerabilities in your security measures, allowing you to patch them before they can be exploited into real problems.
3. An Overall Culture of Compliance
In the same vein, when you take HIPAA compliance that seriously, it will also establish a culture of compliance throughout your organization.
During a HIPAA assessment, you’ll take the time to talk to or interview employees, which will provide an opportunity to hear about things that are working and things that are not, which can help with ongoing training.
4. Enhanced Employee Training
To drill down a bit, ongoing training on HIPAA privacy and security—as informed by those personnel interviews—is essential for healthcare organizations.
If you’re going to build an overall culture of HIPAA compliance, your employees will play a critical role—a HIPAA assessment will provide you a specific opportunity to look at training reports, observe workers, and provide immediate feedback or update training content to reflect your organization’s current state.
This will serve your larger, proactive HIPAA compliance program and help lay the foundation for your organization to build upon as your technology adoption increases or evolves.
5. Updated Current Policies and Procedures
Another critical part of your overall culture of HIPAA compliance is maintaining your policies and procedures documentation.
You’ve likely already implemented policies and procedures that best suit your culture and practice, but these also might change—if they haven’t already—which is why it’s recommended that organizations review their current policies and procedures and update them accordingly. But your auditors—be they an independent third party or the OCR—will also check if the policies were distributed and communicated to staff members.
It’s not enough to just write these things down—your organization doesn’t benefit from that effort if your workforce does not understand the documents and how to implement them. To be effective, implemented policies and procedures must be understood and followed, and performing HIPAA assessments provides an opportunity to:
- Make sure they’re working as they should
- Identify any opportunities to make policies and procedures more effective.
6. Prevented Breaches
All this will serve to help prevent data breaches. The aforementioned required risk analysis will also help some, but performing a full HIPAA compliance assessment more deeply examines your compliance with each HIPAA regulatory requirement area.
That can help determine what HIPAA-required safeguards are already in place and are working well at your organization, and where there are gaps that need to be addressed.
The healthcare industry suffers more data breaches than any other industry in the U.S., but a HIPAA compliance assessment will help you identify weaknesses and prevent violations before they happen.
7. Compliance with 45 CFR §164.308(a)(8) - Evaluation
Of course, failure to complete HIPAA security compliance audits is, in and of itself, a violation of the HIPAA Security Rule’s Evaluation standard, which requires organizations to perform periodic technical and non-technical evaluations that establish the extent to which your security policies and procedures meet the HIPAA Security Rule requirements.
Performing a HIPAA compliance assessment will address this requirement, while also providing insight as to how you’re complying with the Breach Notification and Privacy rules as well.
Moving Forward with Your HIPAA Compliance Assessment
To achieve successful, seamless HIPAA compliance, it would help to push beyond what the law requires and conduct an annual compliance assessment to ensure your organization fulfills its obligations with the HIPAA Privacy, Security, and Breach Notification Rules.
You may choose to do this internally, but if you’re interested in engaging an external assessor, Schellman is here to help, should you elect to contact us and determine if we’re a good fit for you.
Otherwise, please read our other content that provides more helpful details and other solutions regarding HIPAA compliance:
About Schellman
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.