HIPAA Survival Guide June 2019 Newsletter

The Self-Audit Process
 
Introduction
 
Are you ready for a HIPAA Audit? Covered entities and business associates are under potential threat of an audit by the HHS' Office for Civil Rights (OCR). The cost of compliance is steep in terms of capital and budget investment. The alternative is civil monetary penalties for noncompliance. Take a look at the "Wall of Shame" and see for yourself.
 
The scope of an HHS/OCR HIPAA audit generally does not extend beyond the Privacy, Security, and Breach Notification Rules. HIPAA Risk Assessments and Self-Audits can be performed periodically (every year) or when operational needs change in the organization. Results of an HHS or OCR audit may indicate types of corrective actions that are recommended or mandatory. However, should an audit indicate a serious compliance issue, OCR may initiate a compliance review to further investigate. 
 
The Security Rule standard requires the following (Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronically protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.).
 
What is a Self-Audit?
 
HIPAA self-audits provide a preview of the policies, procedures, standards, and practices of a Covered Entity ("CE") or Business Associate ("BA"). CEs and BAs include individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a variety of business associates of these entities. Self-Audits prepare organizations to avoid the "bad day" when (not if) a HIPAA audit arrives due to a Breach.
 
Self-Auditing involves an independent assessment of a CE or BA's organizational activities and records. There are many reasons to conduct a self-audit including: examination preparedness for an OCR Audit, identification of vulnerabilities (lack of HIPAA specifications and controls) and benchmarking against practices. A self-audit can also be a learning experience for Compliance Officers and with each audit, knowledge and skills improve.

The audit process begins with a Risk Assessment where vulnerabilities (lack of HIPAA controls) and risks from threats exploiting vulnerabilities identify areas to remediate. Risk Remediation comes next where activities are taken to fill gaps in HIPAA policies, procedures, and implementation standards. Self-Audits review information within the Risk Assessment and Remediation materials to identify areas that need change.
 
A best practice for Risk Assessment evaluation and remediation is to identify critical individuals to participate not only in the Risk Assessment but also the auditing and risk remediation process. These individuals should come from different areas of the organization (i.e., personnel, network, and legislative/HIPAA compliance). A great tool to guide the process is our Security, Privacy Rule, and Cloud, Social Media and Mobile device Checklists.

This begs the question, what do we mean by a checklist, and more specifically in this context, a legal/compliance checklist? The short answer is that checklists are ways to "attack" a problem or issue. Checklists have been widely adopted across industries (e.g. aviation) and are now becoming quite acclaimed in the practice of medicine. The publication of The Checklist Manifesto: How to Get Things Right by Atul Gawande (general surgeon at the Brigham and Women's Hospital in Boston, a staff writer for The New Yorker, and an assistant professor at Harvard Medical School) has led to widespread interest in checklists in healthcare.

Conclusion
 
Your HIPAA Compliance Initiative will continue to grow and evolve over time. The law will change. Your operational environment will change. You will have staff turnover. Your organization will be bought. Your organization will merge with other organizations. For all these reasons and many more, your organization's self-audit program should be kept evergreen. If you let it stagnate and gather dust it will quickly lose its value. It's a trite, overused expression, but nonetheless continues to convey a significant truth: "the only constant is change."
 
Although HHS/OCR has suspended its formal audit program, you can be sure of one thing, when (not if) you have a significant breach then an HHS audit will follow. If you have stuck your proverbial "head in the sand" then it is likely that willful neglect violations that will be found those are the ones that start at $50K per violation. OUCH! You can purchase insurance (e.g. our Subscription Plan) to prevent this eventuality but many covered entities and business associates rather remain blissfully uninformed; believing that breaches are bad things that happen to other organizations.