HIPAA Audit Checklist

HIPAA Audit Checklist


In March 2013, the enactment of changes to the Health Insurance Portability and Accountability Act (HIPAA) made it advisable for healthcare organizations and other covered entities to compile a HIPAA audit checklist. The objective of a HIPAA audit checklist would be to identify any possible risks to the integrity of electronically-stored protected health information (ePHI).

The changes were introduced in response to the increasing number of ePHI breaches being reported to the U.S. Department of Health and Human Services´ Office for Civil Rights (OCR). The increased number of breaches was attributed to the growing use of personal mobile devices in the workplace to communicate ePHI.

At the same time, an audit protocol was released by OCR. Although it was neither a “required” nor an “addressable” specification that a HIPAA audit checklist was compiled, it makes more sense than ever before to get ready for HIPAA audits with a new round of OCR compliance appraisals about to begin.

OCR Announces Schedule for Compliance Appraisals

In February 2014, OCR announced a plan to survey 1,200 HIPAA-covered entities – 800 healthcare organizations and 400 business associates – as the first step in selecting covered entities for the next round of HIPAA audits. OCR plans to gather recent data about patient visits, how ePHI is shared electronically, revenues and business locations in order to assess the “size, complexity and fitness of a respondent for an audit”.

Being selected to take part in the survey does not necessarily imply that a covered entity will have to get ready for a HIPAA audit. However, it is advisable for all covered entities to be aware of the audit protocol. In the last round of compliance assessments, OCR discovered most of the appraised covered entities did not meet the requirements in the areas of security, privacy, and breach notification. This apparently was due to covered entities being “unaware of the requirements” – something that a HIPAA audit checklist would overcome.

The likelihood of being selected for the OCR survey and having to get ready for a HIPAA audit is remote. There are more than 700,000 healthcare organizations that could be selected for a compliance appraisal and around 2-3 million Business Associates that now fall within the HIPAA regulations. Nonetheless, it is in every covered entity´s interests that the integrity of ePHI is safeguarded, and the best way to do that is with a secure messaging solution.

Secure Messaging Solutions Check the Boxes on a HIPAA Audit Checklist

Secure messaging solutions were developed as a response to the increased use of mobile devices in the workplace and BYOD policies. They work by creating a private communications network through which authorized employees and Business Associates can gain access to encrypted ePHI and communicate with other authorized users via secure messaging apps.

The apps can be downloaded to desktop computers and personal mobile devices and work on any operating system. Communication and access to ePHI is monitored by a cloud-based platform, which has safeguards in place to prevent the transmission of ePHI outside of the healthcare organizations network. Administrative controls are in place to avoid the unauthorized access to ePHI when a computer or mobile device is left unattended, and the facility exists to set “message lifespans” on all communications.

The platform also monitors activity on the network to ensure secure messaging policies are being adhered to, and produces audit reports that assist administrators with risk assessments. Other ways in which secure messaging solutions can help covered entities check the boxes on a HIPAA audit checklist include:

  • Vendors of secure messaging solutions have access controls and procedures on place to restrict unauthorized physical access to their secure servers.
  • Secure messaging solutions use a combination of SSL protocols to create uniquely encrypted channels of communication for ePHI.
  • The audit reports ensure that risk assessments are conducted regularly and that relevant computing resources are diagrammed and documented.
  • Secure messaging solutions have mechanisms in place to authenticate the identities of users and to prevent ePHI from being copied and pasted or saved to an external hard drive.
  • Most secure messaging solutions come with Business Continuity Plans and Disaster Recovery Procedures to restore data based on each covered entity´s recovery time objective.

How Else to Get Ready for a HIPAA Audit

With a secure messaging solution providing the mechanisms in order that covered entities can comply with the physical and technical safeguards of the HIPAA Security Rule, healthcare organizations and Business Associates must develop policies to guide employees on the best practices to adopt in order to be in compliance with the HIPAA Security Rule administrative safeguards.

In order to get ready for a HIPAA audit, healthcare organizations and Business Associates must also develop their own risk management analysis, document data management, security and training plans. They should be aware of what constitutes a breach of ePHI and how to report a breach to the OCR – even though one is unlikely to occur with a secure messaging solution in place.

A breach of ePHI is an impermissible use or disclosure of ePHI, and is presumed to be a breach unless the healthcare organization or business associate can demonstrate there is a low probability that the ePHI has been compromised (for example, when ePHI has been encrypted to a sufficiently high standard). Full details of what constitutes a breach of ePHI and how to report it appears on the U.S. Department of Health and Human Services´ web site.

The Benefits of Complying with the HIPAA Audit Protocol

Getting ready for a HIPAA audit will help healthcare organizations and Business Associates identify any risks to the integrity of ePHI and reduce the risk of fines and possible civil legal action should a breach of ePHI occur. If a secure messaging solution is chosen to eliminate the risks, there are some significant benefits.

Features such as delivery notifications and read receipts reduce the amount of time medical professionals spend playing phone tag. This enables them to streamline workflows and allocate their resources more productively in a wide range of scenarios. A medical professional with access to a HIPAA-compliant secure messaging app can use it to:

  • Accelerate patient admissions.
  • Manage emergency room hand-offs and patient discharges.
  • Send or receive wound images, x-rays, and lab or test results.
  • Collaborate on a patient´s treatment with colleagues.
  • Escalate patient concerns and request physician consults.
  • Confirm scripts and resolve any prescription queries.

Medical professionals located outside of a hospital environment – or those who provide telemedicine services – can securely communicate ePHI “on the go” from any mobile device with secure messaging to save valuable time, increase productivity and enhance the standard of patient healthcare.

Compile Your HIPAA Audit Checklist as Soon as Possible

The next round of OCR compliance appraisals will provide the OCR with an opportunity to examine the different mechanisms being implemented to comply with HIPAA. The plan is also to identify best practices and discover if any new risks and vulnerabilities have been discovered.

A HIPAA audit checklist is the ideal tool to identify any risks or vulnerabilities in your healthcare organization or associated business. It is in your best interests to compile a HIPAA audit checklist and conduct an audit on your own precautions for protecting the integrity of ePHI. You never know when the OCR may be paying you a visit!

HIPAA Audit Update – July 2016

The Department of Health and Human Services’ Office for Civil Rights (OCR) has now selected covered entities from its pool of eligible organizations and has chosen 167 for a HIPAA compliance audit. The covered entities selected for a compliance audit have now been notified by email. In other recent HIPAA audit news:

Mar 3 2016: Update on OCR HIPAA Compliance Audits

Apr 5 2016: OCR Publishes New HIPAA Audit Protocol

May 20 2016: Advice on the Upcoming HIPAA Compliance Audits

July 13 2016: OCR Phase 2 HIPAA Audits: Documentation Requests Issued


Does a HIPAA audit only review compliance with how ePHI is transmitted?

No. A HIPAA audit can review compliance with many different aspects of HIPAA compliance. For example, in the 2018 round of audits, covered entities and business associate had to display compliance with HIPAA rules relating to genetic information, deceased individuals, and when it is permissible to disclose PHI to a patient´s personal representative (among many other areas of compliance).

What is the difference between a desk audit and a physical audit?

In order to accelerate the audit process, HHS has divided audits between desk audits – in which selected covered entities and business associates submit documentation via OCR´s secure portal – and physical audits. In most cases, an organization selected for a desk audit will not be selected for a physical audit unless there is a lack of cooperation by the organization during the desk audit.

If my organization is selected for a desk audit, how much information do I have to provide?

This will depend on the current audit protocol. Prior to each round of audits, HHS releases a list of what areas of compliance it will focusing on. If selected, you will be required to submit the most recent policy documents relating to these areas via OCR´s secure portal. Note: you must send only the documents requested. OCR auditors will not search through compendiums of policies to find those requested.

What are the penalties for failing a HIPAA audit?

The purpose of the HIPAA audit program is to assess how covered entities and business associates are complying with HIPAA. If issues are found during a desk audit, the HHS will notify you of them. If issues are found during a physical audit, HHS may require you to initiate a corrective action plan – unless the issues are of a serious nature, in which case the usual penalties for violating HIPAA will apply.

How do I know if my documentation is sufficient for HHS´ audit requirements?

There are a couple of ways to determine whether your documentation is sufficient for HHS´ audit requirements. First, keep up to date with the most current audit protocols. These are published on HHs website. If you still have any concerns about having sufficient documentation to respond to HHS audit requests, it is recommended to seek professional HIPAA compliance help.

HIPAA Compliance Infographics