Audit Checklist for HIPAA

In March 2013, the passing of changes to the Health Insurance Portability and Accountability Act (HIPAA) made it important or healthcare groups and other covered bodies to compile a HIPAA audit checklist. The objective of a HIPAA audit checklist would be to discover as many possible risks to the integrity of electronically-stored protected health information (ePHI).

The changes were brought in as a response to the growing number of ePHI breaches being reported to the U.S. Department of Health and Human Services´ Office for Civil Rights (OCR). The higher number of breaches was attributed to the growing use of personal mobile devices in the workplace to send ePHI.

At the same time, an audit protocol was published by OCR. Although it was neither a “required” nor an “addressable” specification that a HIPAA compliance checklist was put together, it makes more sense than ever before to get ready for HIPAA audits with a new round of OCR compliance appraisals about to start.

Secure Messaging Solutions Ticks the Boxes for a HIPAA Audit Checklist

Secure messaging solutions were created as a reaction to the increased use of mobile devices in the workplace and BYOD policies. They work by establishing a private communications network through which authorized workers and Business Associates can gain access to encrypted ePHI and communicate with other authorized users through secure messaging apps.

The apps can be installed to desktop computers and personal mobile devices and work on any operating system. Communication and access to ePHI is reviewed by a cloud-based platform, which has safeguards in place to stop the transmission of ePHI outside of the healthcare groups network. Management controls are in place to prevent the unauthorized access to ePHI when a computer or mobile device is left unattended, and the facility exists to set “message lifespans” on all communications.

The platform also oversees activity on the network to ensure secure messaging policies are being adhered to, and generates audit reports that assist administrators with risk assessments. Other ways in which secure messaging solutions can assist covered entities check the boxes on a HIPAA audit checklist include:

• Vendors of secure messaging solutions have access controls and processes in place to limit unauthorized physical access to their secure servers.
• Secure messaging solutions use a combination of SSL protocols to set up uniquely encrypted channels of communication for ePHI.
• The audit reports ensure that risk assessments are carried out regularly and that relevant computing resources are diagrammed and recorded.
• Secure messaging solutions have mechanisms set to authenticate the identities of users and to stop ePHI from being copied and pasted or saved on an external hard drive.
• Most secure messaging solutions come with Business Continuity Plans and Disaster Recovery Procedures to rescue data based on each covered entity´s recovery time objective.

Other Preparations for a HIPAA Audit

With a secure messaging solution providing the mechanisms in order that covered entities can adhere with the physical and technical safeguards of the HIPAA Security Rule, healthcare groups and Business Associates must develop policies to show employees the best practices to implement in order to be in compliance with the HIPAA Security Rule administrative security measures.

In order to prepare for a HIPAA audit, healthcare groups and Business Associates must also create their own risk management analysis, document data management, security and training plans. They should be aware of what makes up a breach of ePHI and how to report a breach to the OCR – even though one is unlikely to happen with a secure messaging solution in place.

A breach of ePHI is an impermissible use or sharing of ePHI, and is presumed to be a breach unless the healthcare organization or business associate can show there is a low probability that the ePHI has been compromised (for example, when ePHI has been encrypted to an acceptable high standard). Full details of what makes up a breach of ePHI and how to report it appears on the U.S. Department of Health and Human Services’ website.

HIPAA Audit Protocol Compliance Advantages

Preparing for a HIPAA audit will help healthcare groups and Business Associates identify any risks to the integrity of ePHI and cut the chance of fines and possible civil legal action should a breach of ePHI occur. If a secure messaging solution is opted for to eliminate the risks, there are some significant advantages.

Features such as delivery alerts and read receipts cut the amount of time medical professionals spend playing phone tag. This allows them to streamline workflows and allocate their resources more productively in a wide variety of scenarios. A medical worker with access to a HIPAA-compliant secure messaging app can use it to:

• Speed up patient admissions.
• Oversee emergency room hand-offs and patient discharges.
• Share or receive wound images, x-rays, and lab or test results.
• Discuss a patient’s treatment with colleagues.
• Escalate patient worries and ask for physician consults.
• Confirm scripts and settle any prescription queries.

Medical workers located outside of a hospital environment – or those who supply telemedicine services – can safely communicate ePHI “on the go” from any mobile device with secure messaging to save valuable time, increase productivity and improve the standard of patient healthcare.

Put Together Your HIPAA Audit Checklist Quickly

The next phase of OCR compliance appraisals will give the OCR with a chance to examine the different mechanisms being implemented to adhere with HIPAA. The plan is also to discover best practices and discover if any new risks and weaknesses have been spotted.