HIPAA “Desk Audit” for Small and Mid-Sized Providers and Business Associates

HIPAA Desk Audit

HIPAA Analytics Desk Audit is a valuable and cost effective way to receive an assessment of current HIPAA privacy and security compliance efforts for small to mid-sized providers and business associates. The Desk Audit is conducted remotely, applying risk analysis guidance methods of the Office of Civil Rights (OCR) Audit Program Protocol and guidance from the National Institute of Standards and Technology (NIST) in assessing provider or business associate HIPAA privacy and security documentation. The Desk Audit covers the HIPAA Privacy Rule, Security Rule and Breach Notification Rule.

Document Collection and Compliance Clarification

The Desk Audit is accomplished through a comprehensive compliance document review and a clarification worksheet, which allows the audit participant to detail specific information regarding the implementation of its HIPAA privacy, security and breach notification requirements. At the conclusion of the Desk Audit, the provider or business associate will receive a preliminary report outlining findings and recommended remediation efforts to address compliance weaknesses. As a part of the remediation efforts, HIPAA Analytics will offer actionable guidance on improving the compliance program.

Because no on-site review of audit participant facilities is required, the Desk Audit is streamlined by collecting participant documentation and clarification input to cost effectively assess current HIPAA privacy and security compliance levels.

Contact us to learn more on how your organization can obtain a cost-effective assessment of its HIPAA privacy and security compliance level.

Based in Minneapolis/St. Paul, MN we are centrally located to serve national clients.

HIPAA Risk Analysis and Attestation

The HIPAA Audit (Risk Analysis)
More than a simple gap assessment, the HIPAA risk analysis is designed to assess an organizations risk management and regulatory effectiveness.

Healthcare organizations have witnessed the increased responsibilities of the HIPAA privacy and security officer over the past 13 years from that of HIPAA program support and training, to a role comparable to a risk manager. Compliance officer tasks now include; HIPAA final Rule upgrades, implementing annual audits, updating policies and procedures, monitoring the organization to reduce data breach events, managing business associates and agreements and effectively disseminating privacy and security standards across all business units.

We believe that healthcare organizations must be proactive in identifying, managing, and controlling existing and future regulatory risks. To ensure each audit delivers value, HIPAA Analytics begins each engagement by working with the client to develop an audit plan that includes –

  • The expectations or goal of the audit
  • Assessing external events, such as new regulations and how they impact the organization
  • Analytics that assist with benchmarking and metrics for quality improvement
  • Documentation of strengths, weaknesses, opportunities, and threats
  • Ensure that audit coverage will provide early warning of risk indicators
  • Capture and share knowledge and best practices for use throughout the organization
  • Address the need for continual learning and training elements to improve business judgment, and  perspective
  • Provide balance, independence, objectivity, and value

Audit Scope
A HIPAA risk analysis identifies relevant privacy and security risks the organization faces, details the risks within each area, and categorizes them by priority. With such an assessment, management can make informed decisions regarding risk mitigation and allocations of risk management resources. In a typical audit, areas of assessment include, privacy and security policies and procedures, business operations/compliance process, management, staff and volunteer interviews, review of all business units, technology/security side operations, examination of business associate and subcontractor agreements, business operations/compliance PHI usage and training and awareness programs.

HIPAA Analytics also provides healthcare organizations with the flexibility of audit focus, for example, audit examinations may  include -

  • Meaningful Use security risk analysis
  • Privacy and security audit report and opinion letter Attesting that HIPAA controls are suitably designed and operational
  • HIPAA business associate audit that provides assurances to their healthcare customers that they meet or exceed HIPAA requirements.
  • Audit of Protected Health Information (PHI), providing organization wide inventory of PHI, business process and risk assessment
  • Audit of Data Breach Plan management and effectiveness
  • Required HIPAA security evaluation due to organization acquisition or partnering
  • Review of the HIPAA Contingency Plan, including, Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operations Plan, Testing and Revision Procedure and Applications and Data Criticality Analysis

HIPAA Privacy and Security Attestation
The audit attestation is a widely recognized standard, “attesting” that a healthcare organization or business associate has had its HIPAA privacy and security policies, procedures and business process examined by an independent consulting firm, and that the examination concluded that the organization met or exceeded HIPAA requirements.

The attestation audit is conducted on-site and is customized to the specific business operation and the customers they serve.

Types of Engagements

  • Ambulatory Clinics
  • Behavioral Health
  • Urgent Care Clinics
  • Healthcare Data Centers
  • Ambulatory Surgery
  • Healthcare Foundations
  • Software Compliance Review
  • eHealth / Virtual Medicine
  • Patient Engagement Applications
  • Technical Healthcare Solutions
  • Community Service Groups
  • Revenue Cycle Management
  • Senior Housing
  • Medical Language Services
  • Corporate Business Units

 How HIPAA Analytics Can Help

More than examining for deficiencies, our audit services approach client examinations with a focus on analytics that provide rich insight into the compliance program. By digging deeper into the root cause of issues and uncovering business/compliance process patterns, our audits help validate client concerns, assess options and predict compliance performance.

Based in Minneapolis/St. Paul, MN we are centrally located to serve clients anywhere in the nation.

Data Breach Prevention and Notification Plan

In today’s expanding HIPAA compliance environment, staying on top of privacy and security regulations amended by the recent HITECH Act can be daunting. For example, one new regulatory requirement includes establishing data breach notification requirements for HIPAA covered entities and their business associates. The challenge for healthcare organizations in this provision alone becomes the process of measuring exposure to a data breach, developing policies and procedures to reduce exposure and developing a data breach incident plan to help minimize risk.

Need for Compliance Support
While the process of implementing new data breach requirements appear simple enough, most healthcare organizations admit they are not equipped to meet new data breach requirements. In fact, a recent study[1] on Patient Privacy and Data Security by the Ponemon Institute reports a key takeaway…”Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. Healthcare organizations in our study told us they have inadequate resources (71 percent), few (if any) appropriately trained personnel (52 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.”

Full Impact of Data Breach
According to another Ponemon Institute study[2] , the data breach incident cost to U.S. companies is $202 per compromised customer record in 2008. Cost factors include, expensive outlays of investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Reducing Data Loss: People, Process and Technology
In response to the potential negative effects of a data breach, healthcare organizations continue to upgrade their technology, yet according to Rick Kam, president of ID Experts, a data breach solutions company, explains in a recent data breach press statement[3] that, “Hardly a day goes by without news of some type of data breach being reported. Data breach incidents are growing in frequency and severity, while regulatory requirements for data privacy protection and incident notification are becoming more stringent. Although organizations entrusted with PII and PHI are making investments in technologies such as encryption and data loss prevention (DLP), none of these are “silver bullets” that will eliminate data breach risks. Despite the focus on failure or lack of adequate security controls within organizations, a far more significant and common portion of these events are simply the result of staff’s lack of awareness and/or compliance to internal security policies and lax practices to safeguard sensitive information.”

To be sure, any healthcare organization is complex, with countless internal and external data points touched by people, processes and technology. To achieve privacy and security assurance of data integrity a thorough analysis of “all” data points is key to a successful compliance program.

How We Can Help
Our data breach prevention audit examines PHI handled by people, processes and technology. Our audit will inventory PHI, evaluate policies and procedures, examine staffing roles, review business processes, conduct a security evaluation and upgrade training and awareness programs as needed.

[1] Benchmark study on patient privacy and data security, November 2010, Ponemon Institute, sponsored by ID Experts.
[2] Fourth Annual US Cost of Data Breach Study, January 2009, Ponemon Institute.
[3] Data breach risks and privacy compliance: The expanding role of the IT Security professional, Data Breach Press 2010, ID Experts.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us