Phase 2 HIPAA Audit Checklist
It’s been a long time coming, but according to OCR, the phase 2 HIPAA audits are expected to begin in Spring 2016, so you’ll need to make sure your organization is prepared.
With a high number of breaches occurring in the last two years being attributed to a lack of encryption, employee negligence and cyber attacks, the phase 2 audits are likely to focus on these areas, as well as on HIPAA standards that were sources of high numbers of non-compliance in the phase 1 audits.
As well as covered entities, phase 2 audits will also be conducted on business associates of covered entities, such as health plan providers, billing companies and medical supply companies.
To ensure that you are prepared for a potential phase 2 audit, covered entities and business associates may find our downloadable checklist useful.
Phase 2 HIPAA Audit Checklist
Not sure where to start when it comes to checking that your organization will pass a HIPAA audit with flying colors? Fear not – we are here to help!
What is a HIPAA audit?
OCR are set to conduct phase 2 HIPAA audits in Spring 2016. HIPAA audits are used by OCR to proactively identify issues with non-compliance, and to address any areas of concern across a range of covered entities and business associates.
The HIPAA Privacy, Security, and Breach Notification Rules apply to healthcare providers who engage in certain electronic transactions, healthcare clearinghouses, and health plans, including employee group health plans with 50 or more participants or that are administered by a third party.
If your organization meets this criteria, you may find that you are selected by OCR to be audited.
What were the findings of the phase 1 HIPAA audits?
The phase 1 audits identified high levels of non-compliance in the following areas:
- Risk analysis and risk management
- Content and timelines of breach notifications
- Notice of privacy practices
- Individual access
- Privacy Standards reasonable safeguards requirement
- Training on HIPAA policies and breach notification procedures
- Device/media controls
- Transmission security
HIPAA Audit Checklist:
Tick off each of these items below, to perform an informal HIPAA preparedness assessment of your organization.
- Able to identify the security official who is responsible for the development and implementation of HIPAA
- Have conducted a comprehensive risk assessment of potential security risks and vulnerabilities and ensure any items identified in the risk assessment have been completed or are on a reasonable timeline to be completed
- Able to provide a detailed risk management strategy
- Can provide details of the procedure when responding to suspected or known security incidents
- All necessary privacy and security documentation is readily available and up to date
- Able to demonstrate that security controls are working, be able to examine activity in information systems that contain or use PHI, and show that your organization has implemented procedures to regularly review records of audit logs, access reports, and security incident tracking
- Can confirm that a facility security plan for each physical location that stores or otherwise has access to PHI has been adopted, in addition to any security policies that require a physical security plan
- Conduct a full review of HIPAA security policies to identify any actions that have not been completed as required (e.g. physical security plans, disaster recovery plan, emergency access procedures, etc.) to meet HIPAA compliance
- Can ensure a breach notification policy has been implemented, and accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards
- In addition to a website privacy notice, a compliant Notice of Privacy Practices is available
- Can confirm that all systems and software that transmit electronic PHI use encryption technology, or provide a documented risk analysis supporting the decision not to employ encryption
- Are able to show that your organization has reasonable and appropriate safeguards in place for all forms of PHI – both in transit and at rest
- Able to demonstrate that sufficient procedures have been implemented for the authorization and/or supervision of employees who work with PHI or in locations where it might be accessed, including methods of authentication
- Can show that a process is in place for terminating access to PHI after a period of inactivity
- Able to demonstrate that sufficient procedures have been implemented to determine that the access level of an employee to PHI is appropriate
- Can prove that sufficient procedures are in place to terminate access to PHI when an employee leaves an organization
- Can prove that your organization has Implemented policies and procedures to protect PHI from improper alteration or destruction
- Have the capability to remote wipe and disable a device that holds PHI
- Able to show that your organization maintains an accurate inventory of information system assets, including mobile devices (also applicable to a BYOD environment)
- Have performed checks for malicious software
- Have a robust process in place for password creation and password changes in place
- Have a complete inventory of all covered entities and business associates available
- Can ensure that appropriate business associate agreements have been executed
- Are able to provide evidence that the workforce has received HIPAA training
- Have conducted a ‘self-audit’ to check how well policies and procedures are being carried out throughout the organization