A HIPAA security audit can help covered entities and business associates identify threats to the confidentiality of Protected Health Information and remedy gaps in security to demonstrate a good faith effort to comply with HIPAA. For smaller organizations, a HIPAA security audit can be more cost-effective than adopting a recognized security framework.
In 2021, Congress passed an amendment to the HITECH Act which – among other measures – instructed the Secretary for Health and Human Services (HHS) to consider a covered entity’s previous compliance with a recognized security framework when calculating the amount of a civil monetary penalty for a HIPAA violation or the severity of a corrective action plan.
At the time, the amendment suggested a recognized security framework consisted of “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act, the approaches promulgated under section 405(d) of the 2015 Cybersecurity Act, and other programs […] consistent with the HIPAA Security Rule.”
For many small organizations subject to HIPAA, adopting and demonstrating compliance with a recognized security framework requires a considerable investment in time and money. Most smaller healthcare organizations simply do not have the resources to implement the measures required by (for example) the recently updated NIST Cybersecurity Framework 2.0.
In addition, although HHS’ Office for Civil Rights published a Request for Information in April 2022 asking for suggestions about “other programs consistent with the HIPAA Security Rule”, no guidance has yet been published about how smaller organizations with limited resources can demonstrate at least twelve months previous compliance with the HIPAA Security Rule.
How a HIPAA Security Audit Can Help
A HIPAA security audit is a comparison of the Security Rule standards and implementation specifications that apply to an organization against existing safeguards, policies, and procedures. Because the Security Rule allows a “flexibility of approach”, there is no one-size-fits-all HIPAA security checklist or HIPAA security audit template. However, there are some common elements that should be included in any HIPAA cybersecurity compliance checklist:
- A risk assessment of potential threats and vulnerabilities that could impact the security, integrity, or availability of PHI.
- A documented security management process for preventing, detecting, containing, and correcting security incidents.
- Procedures for managing access to networks, systems, and devices through which PHI is accessible and logging user activity.
- Correctly configured and managed controls for allowing remote access to systems and for logging users out of systems remotely.
- Data backup, disaster recovery, emergency operating mode, and contingency plans which have been tested and documented.
- Physical safeguards that prevent unauthorized access to networks, systems, and devices through which PHI is accessible.
Other elements – such as encryption – may need to be included in a HIPAA cybersecurity compliance checklist depending on the type(s) of productivity, collaboration, storage, and communication software used in the organization. For example, subscribers to some Microsoft Office 365 business plans will find PHI is automatically encrypted at rest and protected during transit by TLS encryption – which is sufficient to satisfy the HIPAA requirements.
Ticking Boxes on a HIPAA Security Rule Checklist is Not Enough
Some organizations that conduct a HIPAA security audit believe that compiling a HIPAA Security Rule checklist, using the checklist to identify compliance failures, and then implementing measures to address the failures is sufficient to demonstrate HIPAA compliance. It’s not. HIPAA compliance consists of ensuring HIPAA policies and procedures are followed by members of the workforce by monitoring workforce compliance and applying sanctions when necessary.
This means that a HIPAA security audit also has to look at the ways in which members of the workforce receive HIPAA training, how their day-to-day functions are monitored for compliance, and what measures exist for raising compliance concerns or escalating security incidents. Only once these issues are resolved and documented can an organization claim it is making a good faith effort to comply with the Security Rule if investigated by HHS’ Office for Civil Rights.
It is also important to note the HIPAA Security Rule documentation standard (§164.316) requires covered entities and business associates to review documentation periodically and revise as necessary. This implies a HIPAA security audit is an ongoing exercise than an one-off “ticking the box” exercise, and ongoing auditing is highly likely to be included in a Final Rule for determining what constitutes a recognized security framework under the HITECH amendment.