Prepare for a HIPAA Assessment: A Guide for Healthcare Organizations
All of us likely remember hearing something like this from our parents: “when I come in there, your room better be clean!”
As kids, we lived under their roof and rules, so when we heard that, we knew it was time to get to tidying our spaces before the “inspection” commenced. (Of course, you did have the option to leave it, but those weren’t consequences you probably wanted to face.) After a time, you probably picked up all the harder-to-reach spots you knew your mom would check or the particular things that especially annoyed your dad, and so you made sure to take care of them.
When it comes to HIPAA compliance, the concept is the same—you’re not trying to pass inspection from your parents, you’re trying to successfully pass an audit from the Health and Human Services’ Office of Civil Rights (OCR), and one of the ways you can help yourself do that is to assess your systems, policies, and procedures in the same way the OCR would if they were auditing you.
You can either do this yourself through a self-assessment or hire an external auditor to do it for you and in fact, either option is recommended by the OCR itself—in its April 2018 cybersecurity newsletter, OCR pointed out the benefits of performing a HIPAA gap analysis in addition to a risk analysis.
As one of these external assessors you could potentially engage to help, we’re very familiar with the details the OCR wants you to look at, and in this post, we’re going to spend some time outlining the specific steps you should take when preparing for a HIPAA assessment.
Not only will you be in a better position for your next audit, but taking this kind of proactive approach to your HIPAA compliance program will also lay the foundation for your organization to build upon as your technology adoption increases.
7 Steps to Take When Preparing for Your HIPAA Compliance Assessment
1. Conduct an OCR-Compliant Risk Analysis
First things first: you must perform an inventory of all your information assets to see which relevant systems are housing protected health information (PHI) and electronic protected health information (ePHI) so that you can then begin to analyze and understand the risks that apply to them.
Apart from this being your first step in identifying vulnerabilities that could result in a breach of PHI, performing a risk analysis is specifically required by the HIPAA Security Rule, which mandates risk analysis for both Covered Entities (CEs) and their Business Associates (BAs). The importance of this phase cannot be overstated, as more than 90% of HIPAA violations stem from inadequacy here.
When you conduct your risk analysis, you’ll discover any gaps and weaknesses in your business which you can then mitigate before they become an issue. As such, conducting an annual risk analysis should be considered a standard part of your HIPAA compliance procedure.
2. Create and Evidence a Risk Management Plan
Once you’ve performed that risk analysis, you’ll use those results to articulate and document a risk management plan to help you reduce the discovered risks throughout the year.
Your risk management plan should include:
- Assigning responsibilities to staff for improvements to security measures;
- Mitigating risks;
- Following up to make sure the corrective actions are completed; and
- Documenting everything you do.
Because this is such a critical element to HIPAA compliance, you may find that bringing in a third party to evaluate could help set your mind at ease regarding your efforts. Our HIPAA Express service is an abbreviated, more focused assessment that can both bolster your risk management and evidence of your due diligence.
3. Document and Implement HIPAA Policies and Procedures
Aside from your risk concerns, you’ll also need to make sure that your organization’s HIPAA policies, procedures, and implemented controls map to and satisfy the HIPAA standards and implementation specifications.
For that, ensure all procedures and policies related to compliance with HIPAA rules are thoroughly documented. These documents also need to be easily accessible and available to help guide your workforce and everyday business operations as well as to satisfy audit requirements.
But it’s not enough to simply document policies and procedures as required under HIPAA—you must also implement the recorded items because if they aren’t, the documents themselves will make little difference when a breach or HIPAA audit arises.
4. Train Your Workforce
Understanding your vulnerabilities, documenting policies, and implementing the requisite and appropriate controls won’t be as effective if you don’t also get your personnel up to speed.
A well-trained workforce is the foundation of any good compliance program, and if you’re subject to HIPAA audits, they should be prepared accordingly—employees who haven’t been trained or don’t have experience with these regulations can increase the risk of a failed audit, so here’s how to avoid that:
- Who to Train: All employees involved with the processing of PHI or ePHI are to be adequately trained in maintaining its privacy and security.
- When to Train Them: Annual retraining is mandatory under HIPAA and will help you keep up to date with changes in the law and best practices for keeping your information safe. (Auditors will typically ask to see the last several years of training records.)
- What to Document: Records need to be kept demonstrating this training to auditors. You are required to document all training completed by employees and to train new employees soon after their start date.
5. Assign Roles and Responsibilities to Privacy and/or Security Officials
Your workforce should also be made aware of who your appointed privacy and security officials are, and their job descriptions, as well as their methods of appointment, should be recorded.
Whoever you assign to this role, your privacy or security official will:
- Monitor compliance with HIPAA policies and procedures on an ongoing basis.
- Maintain, implement, and remain up-to-date on all policies, procedures, and documentation related to HIPAA security compliance. (Think of it as being an airport traffic coordinator, keeping everything on time and schedule.)
- Ensure their fellow employees receive the aforementioned HIPAA training on policies and procedures.
6. Maintain an Inventory of Business Associate Agreements (BAAs)
Regarding these policies and procedures, they should include BAAs, which all healthcare practices should have in place. BAAs are required by law and HIPAA breaches can occur as a result of failing to sign BAAs with vendors. In fact, the OCR has issued many financial penalties for BAA failures, including those failures to obtain a signed HIPAA-compliant BAA from at least one vendor.
To remain HIPAA compliant, you should maintain an inventory of your BAAs and review them regularly.
7. Document Everything
Though we mentioned documentation above, it’s worth it to reiterate that the OCR and/or the external assessor you bring in will want to see proof that you’ve implemented all relevant HIPAA requirements, risk analysis, risk management plans, training, policies, and procedures.
When it comes to HIPAA, document, document, and document some more. If you’ve done something, make sure you have the documentation to prove that it was done—you want to be as thorough and detailed as possible.
Next Steps for Your HIPAA Compliance
Once you’ve taken all these steps and finalized all your evidence, you’re ready for an assessment, and your next step is to decide whether to go with a self-assessment or choose an independent third-party assessor. Either way, undergoing one of these will not only prepare you for a potential OCR audit, but it’ll also serve as an excellent way to demonstrate HIPAA compliance to your customers and potential customers.
To continue learning more about the intricacies of HIPAA so that you can better set expectations and strengthen your preparation even more, check out our other content that deconstructs different important aspects:
About Schellman
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.