Identify And Reduce Risks With A Prober HIPAA Audit Checklist

What Is a HIPAA Audit Checklist?

A HIPAA audit checklist is designed to help healthcare personnel identify potential risks to digitally-saved patient data, or formally termed as Protected Health Information (PHI). The checklist was enacted to respond to the changes in the Health Insurance Portability & Accountability Act (HIPAA) that sought to address the increasing number of data breaches being reported to the US Department of Health and Human Services’ Office for Civil Rights (OCR).

2018 saw the highest HIPAA enforcement record to date, with fines soaring up to $28.7 million for ten compliance cases. This puts even more weight on the urgency and importance of complying with HIPAA regulations. Going through an audit and possibly getting fined is the last thing any medical facility wants.

Safeguarding the patient’s protected health information has become a crucial matter, and complying with the HIPAA audit has become a primary priority in the health industry.

In this article, the following points are explained:

1. What HIPAA compliance means

2. Common violations that trigger HIPAA audits

3. Elements of a proper HIPAA risk assessment checklist

4. Advantages of an audit app for HIPAA compliance

Understanding HIPPA Compliance

Essentially, HIPAA compliance is the process of meeting the requirements set by the Health Insurance Portability and Accountability Act of 1996 and any amendments following its passing, including related legislation like the HITECH Act.

One fascinating facet to it is that businesses looking to identify the compliance requirements would immediately see that it is not explicitly stated. In fact, the requirements of the HIPAA were intentionally written to be vague, so it would apply to any Covered Entity and Business Associate that is directly or indirectly involved with creating, accessing, processing, and storing patients’ protected health information. Through this, it can cover more ground and be implemented easily across multiple health institutions and individual practices.

To help you better understand, let’s take a look at who is considered as Covered Entity and Business Associate:

• Covered Entity: When pertaining to individuals, it includes healthcare providers, health plans, or healthcare clearinghouses that mediate between healthcare providers and insurance payers. On the other hand, in the context of a health facility such as a hospital, it is the hospital that’s considered as the Covered Entity and not the employed healthcare providers in its organization. Additionally, employers are typically not regarded as covered entities unless they implement benefits like an Employee Assistance Program (EAP) or provide insurance health coverage. In this context, they are considered "hybrid entities" and may be subject to HIPAA violations if a breach of PHI happens.
• Business Associate: Any individual or business entity granted access to PHI maintained by the Covered Entity as part of a necessary function rendered for a service delivered. The most common types of Business Associates include IT contractors, lawyers, and accountants.

Covered Entities and Business Associates are mandated to make sure that every technical, physical, and administrative safeguard is observed to the highest standard for the protection of PHI. On top of this, practices must comply with the HIPAA Privacy Rule to maintain the integrity of the PHI and, in the event of a data breach, guarantee to observe the procedure stated in the HIPAA Breach Notification Rule.

All risk-assessment procedures, HIPAA-related policies, and implementation failures of addressable safeguards must be detailed during the investigation to help determine exactly how the breach happened.

Common Violations That Trigger HIPAA Audits

Typically, a HIPAA audit will be caused by a PHI breach. Although the list below is not exhaustive, these are the most common ways an audit could happen:

• The occurrence of a malware or ransomware attack;
• When hardware with access to PHI is lost or stolen;
• If patient records are not properly disposed of (i.e., throwing PHI in a garbage bag instead of shredding it);
• In the event of reported office burglary;
• When unauthorized individuals gain illegal access to PHI or if patient information is illegally disclosed.

HIPAA violations that are classified under improper access include:

• The viewing of patient records by employees that are not decked, assigned, or have any function relating to the owner of the patient record being viewed;
• The viewing of patient records by an employee using a device or monitor can be viewed by the public.

HIPAA violations that are considered unauthorized disclosures include:

• Handing out patient information to a family member without the expressed consent of the patient or authorized representative;
• Handing out a patient’s information to media without the expressed consent of the patient or authorized representative;
• Utilizing a patient’s information for educational purposes without the expressed consent of the patient or authorized representative.

Elements Of A Proper HIPAA Risk Assessment Checklist

Because of the variation in sizes, capacities, and complexities of different Covered Entities and Business Associates, the OCR deemed it impossible to provide specific guidelines on proper risk analysis methodology. But they did guide as to the objectives that a proper HIPAA risk assessment should have:

1. It should adequately identify, document, and track the PHI that organizations create, receive, store, and disclose. This includes information shared with Business Associates.
2. It should assess the data protection measures that were implemented to safeguard against “reasonably anticipated” data breaches.
3. It should identify all potential threats to PHI, including human, natural, and environmental factors — including those that happen intentionally and unintentionally.
4. It should evaluate the impact of all possible breaches, conduct a risk assessment, and assign risk levels according to the level of its impact and likelihood.
5. It should comprehensively document all findings and implement necessary safety measures to ensure high compliance standards are observed.

Furthermore, all relevant documents, measures, procedures, and policies pertaining to the HIPAA risk assessment are required to be kept for a minimum of six years.

Leverage An Audit App To Make Your HIPAA Compliance Easier and Error-Free

Utilizing a mobile audit app to streamline your compliance practices can help keep fines at bay. With a digital checklist, your team can have valuable compliance procedures available at any time, so they are always guided on proper data protection practices, prevention of information breaches, and HIPAA regulations.

Use Lumiform and make the transition to using reliable digital checklists, which you can use to conduct audits right on your phone. You can sign up and create a free HIPAA compliance checklist to find out the benefits of going digital.

But that’s not all that you get:

• Using our fully flexible and customizable form builder, you can create your audit form and enjoy free HIPAA compliance forms downloaded straight to your mobile phone, so you can conduct an audit even when you’re offline.
• If you prefer something more ready-to-use, you can head to our template library, and you’ve got your HIPAA audit checklist ready in less than a minute.
• Using the mobile app’s workflow feature, you can easily communicate issues with your team and find solutions faster.
• Organize all necessary documentation in one place and make sure nothing gets missed as you check in on their entries easily from anywhere, at any time of the day.
• Generate in-depth reports immediately and get the data you need in no time.