How to Prepare for Your Annual HIPAA Compliance Audit

Posted by James Schroeder

A new year and a new decade are upon us. Are you prepared to conduct your annual HIPAA compliance audit? As we know, the HIPAA Security Rule requires periodic security risk assessments be conducted by both covered entities (CEs) and business associates (BAs). Performing regular audits helps ensure healthcare organizations are in compliance with HIPAA’s administrative, physical and technical safeguards.

At ComplyAssistant, we recommend that HIPAA compliance audits be performed annually. And there’s no time like the new year to start a new habit. Here we’ll give you 6 tips to prepare for an annual audit.

The HIPAA Security Rule allows for some level of flexibility in how audits are performed for a facility or system, considering a variety of factors including size, complexity, technical infrastructure, and probably and criticality of risk.

TIP #1: Document any organizational, operational or structural changes in the past year (e.g., merger, acquisition, new construction) and include new departments or facilities in your audit plan.

Conducting regular security risk audits will help you prepare in case of an audit by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

TIP #2: Document the following items:

  • The date of your last assessment
  • A list of mitigated risks
  • HIPAA policies, procedures and controls that are currently in place
  • Evidence and documentation of those policies and procedures

Under the HIPAA Rules, covered entities must protect their own operations and information. The same goes for business associates (BAs) who use, share or store any protected health information (PHI) on behalf of a covered entity.

TIP #3: Inventory all known business associates, including those whose agreements were signed outside the IT department’s purview. Prepare for your HIPAA compliance audit by ranking your BAs from highest to lowest risk, based on their interaction with protected data.

Your full HIPAA compliance audit will include both internal (for the covered entity) and external (for business associates) reviews, and should evaluate administrative, physical and technical safeguards.

TIP #4: Using spreadsheets to document audit responses to everything from facility security to encryption protocols to liability insurance can be extremely unwieldy. We recommend using a GRC software solution to gather data, manage risk profiles, develop action plans and report on progress.

New threats emerge nearly every week, be it from email phishing attacks, intrusion via third parties or ransomware attacks. Be sure to consider the latest information available when conducting your annual HIPAA compliance audit.

TIP #5: Join a local or regional Information Sharing and Analysis Organization (ISAO) to share best practices and stay updated on regulatory changes and cybersecurity threats.

Your work doesn’t end when the HIPAA compliance audit is complete. Risk mitigation is critical to protecting your organization, your patients and your data.

TIP #6: Create a customized action plan to mitigate risks, starting with risk areas identified as the highest priority. A well-documented action plan will set you up nicely for the following year’s assessment.

Additional HIPAA compliance audit resources from ComplyAssistant:

Free tool: HIPAA Privacy and Security Proactive Audits Tool Kit

Free tool: HIPAA Facility Security Walkthrough Checklist

Guide: Fundamental Guide to Vendor Risk Management

Solution: ComplyAssistant GRC software