To download PDF: Official DHHS released HIPAA Audit Checklist
The HIPAA Security Rule establishes very clearly the requirements for the Risk Management implementation specification, the Audit Controls standard, and the Evaluation standard:
Risk Management Implementation Specification
Audit Controls Standard
The Risk Management standard requires that organizations on a regular basis identify, select, and implement controls, countermeasures, reporting, and verification to achieve an appropriate level of risk at an acceptable cost.
Organizations must also repeat the process of identification of all vulnerabilities to electronic PHI as well as other information assets and determine appropriate security measures to reduce risks to a reasonable and appropriate level.
All organizations should go beyond just meeting HIPAA Security Rule compliance requirements. The compliance requirements are limited to electronic PHI. Organizations must evaluate their security requirements for not just all PHI, but all information assets. The requirement for evaluating if compliance requirements have been met may be done internally or with an external resource or jointly.
The Security Rule requires that covered entities periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity’s security policy and the requirements of the Security Rule.
Objective of HIPAA Audit and Evaluation for HIPAA Compliance
The objective of HIPAA Audit includes the following activities:
1. Assess if all vulnerabilities have been addressed.
2. Verify that all compliance requirements have been met.
HIPAA Security Rule Standard Implementation Specification
Security Management Process
The NIST defines risk as the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. The risk is a function of the likelihood of a given threat-sources exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.
Security professionals generally define risk management as a process for identifying, selecting, and implementing controls, countermeasures, reporting, and verification to achieve an appropriate level of risk at an acceptable cost.
Organizations will need to review mechanisms that must be deployed to record and examine system activity to determine suspicious data activities. The audit capability must be such that it enables tracing not just to the device but also to the user. The security policy must hold individuals responsible for their actions. The policies lead to procedures to follow in the event of audit alarms or discrepancies.
Audit controls may apply to a system, a network, an application or any other technical processes. The covered entity should specify how long the organization would retain the audit log data. The required retention period for the audit log data should be adequate to investigate instances of inappropriate access.
The organization should define who may access the systems audit log data and provide for secure storage and protection of the system log data, especially for data which contains protected health information. Audit trails may become evidence in legal proceedings, so care should be taken to protect their integrity in order to preserve their usefulness for such purposes.
It is required that covered entities periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity’s security policy and the requirements of the Security Rule. Covered entities must assess the need for a new evaluation based on changes to their security environment since their last evaluation. This evaluation may be performed internally or by an external accrediting agency, which would be acting as a business associate. The evaluation would be to both technical and non-technical components of security.
Strong audit trails are a critical component of an organization’s security strategy and help the entity ensure the confidentiality, integrity, and availability of e-PHI and other vital information and avoid any HIPAA law violations.
Sample – Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Audit Reviews
1. Personnel that may be interviewed
- President, CEO or Director
- HIPAA Compliance Officer
- Lead Systems Manager or Director
- Systems Security Officer
- Lead Network Engineer and/or individuals responsible for:
- administration of systems which store, transmit, or access Electronic Protected Health Information (EPHI)
- administration systems networks (wired and wireless)
- monitoring of systems which store, transmit, or access EPHI
- monitoring systems networks (if different from above)
- Computer Hardware Specialist
- Disaster Recovery Specialist or person in charge of data backup
- Facility Access Control Coordinator (physical security)
- Human Resources Representative
- Director of Training
- Incident Response Team Leader
- Others as identified….
2. Documents and other information that may be requested for investigations/reviews
a. Policies and Procedures and other Evidence that Address the Following:
- Prevention, detection, containment, and correction of security violations
- Employee background checks and confidentiality agreements
- Establishing user access for new and existing employees
- List of authentication methods used to identify users authorized to access EPHI
- List of individuals and contractors with access to EPHI to include copies pertinent business associate agreements
- List of software used to manage and control access to the Internet
- Detecting, reporting, and responding to security incidents (if not in the security plan)
- Physical security
- Encryption and decryption of EPHI
- Mechanisms to ensure integrity of data during transmission – including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives)
- Monitoring systems use – authorized and unauthorized
- Use of wireless networks
- Granting, approving, and monitoring systems access (for example, by level, role, and job function)
- Sanctions for workforce members in violation of policies and procedures governing EPHI access or use
- Termination of systems access
- Session termination policies and procedures for inactive computer systems
- Policies and procedures for emergency access to electronic information systems
- Password management policies and procedures
- Secure workstation use (documentation of specific guidelines for each class of workstation (i.e., on site, laptop, and home system usage)
- Disposal of media and devices containing EPHI
b. Other Documents:
- Entity-wide Security Plan
- Risk Analysis (most recent)
- Risk Management Plan (addressing risks identified in the Risk Analysis)
- Security violation monitoring reports
- Vulnerability scanning plans
- Results from most recent vulnerability scan
- Network penetration testing policy and procedure
- Results from most recent network penetration test
- List of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees)
- Configuration standards to include patch management for systems which store, transmit, or access EPHI (including workstations)
- Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI
- Organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI
- Examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures (security awareness training)
- Policies and procedures governing the use of virus protection software
- Data backup procedures
- Disaster recovery plan
- Disaster recovery tests plans and results
- Analysis of information systems, applications, and data groups according to their criticality and sensitivity
- Inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI
- List of all Primary Domain Controllers (PDC) and servers
- Inventory log recording the owner and movement media and devices that contain EPHI
Let us help you in completing your HIPAA Compliance with an audit.
Please contact us for more information at Bob@training-hipaa.net or call (515) 865-4591.