Steps of a HIPAA audit

HIPAA audits are just like any audit or project they require the proper steps.

Step 1 : Project Planning

The planning and scoping of a project is often one of the hardest parts of project management. Audits, like a HIPAA audit, are a targeted project with findings or shortcomings as their project deliverables.  If the audit scope is too narrow, then the audit findings will not be an accurate reflection of the organizations status, with regards to HIPAA compliance.  Likewise if the audit scope is too broad then too much time is going to be wasted on insignificant or minor issues.  Key points during any HIPAA audit or project planning step are:

• Understanding the HIPAA Security Rule, what truly is required and needed.
• Identify the HIPAA Security Officer, as they should be the key personnel involved from the start.
• Understand and identify your current resources points

This is a vital step to ensure that all members are on the same page, having auditors and auditees all seeing the same road map, as well as clearly defining the success and failure objectives.

Step 2 : Gap Analysis and System Discovery

Now the HIPAA audit can begin. Always start broad and narrow down as you identify key information points. For example: start with all workstations must be examined. Now, first look for which workstations or devices have and which do not have EPHI (Electronic Protected Health Information). Only then can you progress forward and eliminate those devices which clearly  do NOT have EPHI.  Sadly this simple step is not followed and devices are not examined which have EPHI, often resulting in a HIPAA breach due to poor system discovery methods. Identify and look for nefarious means an outsider would use to gain access, or in other words think like the bad guy.  Think  “IF I wanted to gain access to X’s medical files, how would I do it, as an outsider or non-employee?” Now do NOT go do that!      But,  often this is the exact process the “real”  malicious individual would follow.   Trust me if you can find a weakness, so can they.

This is NOT the time to fix things.  This IS the time to find the problems.  Yes, I know we do not want to, I know we think they do not exist in our organization, I know this can be painful finding problems that you did not realize existed,  and now you realise you may be miles away from the compliance line.  However, you should face them NOW and not later. Do NOT be afraid to double or triple check results to ensure that a system does or does not have EPHI. Be inclusive not minimalistic.

Use a survey and ask do we comply with  “aaa.bbb(c)d” of the HIPAA rules, on a scale of 0 being total non-compliance and 100 being absolutly, verifiable compliance.    At the end anything that does not score above a 20, is a total compliance failure, and anything between 5 and 19 is borderline.

“But that means too much is non-compliance!” you might say.

True, but if the respondents to not know the measuring scale then they will try to duck issues, oh we are a 70 on this issue.  They know full well they are not compliant, but it’s not THAT bad in their mind.  At this point of the audit process this is MISSION CRITICAL.

More steps to follow…..