HIPAA Audit (Risk Analysis) and Attestation for Covered Entities
More than a simple gap assessment, the HIPAA risk analysis is designed to assess an organizations risk management and regulatory effectiveness.
Healthcare organizations have witnessed the increased responsibilities of the HIPAA privacy and security officer over the past 18 years from that of HIPAA program support and training, to a role comparable to a risk manager. Compliance officer tasks now include; implementing annual audits, updating policies and procedures, monitoring the organization to reduce data breach events, managing business associates and agreements and effectively disseminating privacy and security standards across all business units.
Today, healthcare organizations must be proactive in identifying, managing, and controlling existing and future regulatory risks. To ensure each audit delivers value, HIPAA Analytics begins each engagement Statement of Work that includes –
- The expectations or goal of the audit
- Assessing external events, such as new regulations and how they impact the organization
- Analytics that assist with bench-marking and metrics for quality improvement
- Documentation of strengths, weaknesses, opportunities, and threats
- Ensure that audit coverage will provide early warning of risk indicators
- Capture and share knowledge and best practices for use throughout the organization
- Address the need for continual learning and training elements to improve business judgment, and perspective
- Provide balance, independence, objectivity, and value
HIPAA Audit Scope
A HIPAA risk analysis identifies relevant privacy and security risks the organization faces, details the risks within each area, and categorizes them by priority. With such an assessment, management can make informed decisions regarding risk mitigation and allocations of risk management resources. In a typical audit, areas of assessment include, privacy and security policies and procedures, business operations/compliance process, management, staff and volunteer interviews, review of all business units, technology/security side operations, examination of business associate and subcontractor agreements, business operations/compliance PHI/EPHI usage and training and awareness programs.
HIPAA Privacy and Security Attestation
HIPAA Analytics may also provide an audit attestation, a recognized method to “attest” that the Covered Entity has conducted a HIPAA audit (Risk Analysis) by an independent consulting firm to obtain reasonable assurance about whether –
- The accompanying areas of audit emphasis (HIPAA standards relating to a Covered Entity presents fairly, and in all material respects, the aspects of client policies, procedures and operations.
- That HIPAA policies and procedures included in the areas of audit emphasis were suitably designed and operational to achieve the control objectives specified in the HIPAA standards.
The attestation audit is conducted on-site as a part of the Risk Analysis specific to the client business operation and the customers they serve.
Types of Covered Entity and Business Associate Engagements
- Medical Software
- eHealth / Virtual Medicine
- Patient Engagement Applications
- Revenue Cycle Management
- Corporate Business Units
- Covered Entities
- Hybrid Entities
- Ambulatory Clinics
- Behavioral Health
- Community Service Organizations
- Healthcare Foundations
How HIPAA Analytics Can Help
More than examining for deficiencies, HIPAA Analytics audit services approach client examinations with a focus on analytics that provide rich insight into the compliance program. By digging deeper into the root cause of issues and uncovering business/compliance process patterns, HIPAA Analytics audits help validate client concerns, assess options and predict compliance performance.
Based in Minneapolis/St. Paul, MN client services are provided nationally.