HIPAA Audit: Compliance for Security

The Department of Health and Human Services' (DHHS) Office of e-Health Standards and Services released
2 page document with the list of Sample - Interview and Document Request for HIPAA Security Onsite
Investigations and Compliance Audit Reviews.

To download PDF:
Official DHHS released HIPAA Audit Checklist

View HIPAA Audit Checklist released by DHHS

The HIPAA Security Rule establishes very clearly the requirements for the Risk Management implementation
specification, the Audit Controls standard and the Evaluation standard:

Risk Management Implementation Specification

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Audit Controls Standard

Implement hardware, software, and/or procedural mechanisms that record and examine activity of information systems that contain or use electronic PHI (e-PHI).

Evaluation Standard

Perform a periodic technical and non-technical evaluation to demonstrate and document compliance with the entity’s security policy and the requirements of the HIPAA Security Rule.

The Risk Management standard requires that organizations regularly identify, select, and implement controls, countermeasures, reporting and verification to achieve an appropriate level of risk at an acceptable cost. Organizations must also repeat the process of identification of all vulnerabilities of electronic PHI's as well as other information assets and determine appropriate security measures to reduce risks to a reasonable and appropriate level.

All organizations should go beyond just meeting HIPAA Security Rule compliance requirements. The compliance requirements are not limited to electronic PHI's. Organizations must evaluate their security requirements for all information assets. Evaluation of compliance requirements may be performed internally, with an external resource or jointly.

The Security Rule requires Covered Entities periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity’s security policy and the requirements of the Security Rule.

Objective of HIPAA Audit and Evaluation for Compliance

The objective of HIPAA Audit includes the following activities:

1. Assess if all vulnerabilities have been addressed.
2. Verify that all compliance requirements have been met.

Item	HIPAA Citation	HIPAA Security Rule Standard Implementation Specification	Implementation
ADMINISTRATIVE SAFEGUARDS
	164.308 (a) (1) (i)	Security Management Process
	164.308 (a) (1) (ii) (B)	Risk Management	Required
	164.308 (a) (8)	Evaluation	Required
TECHNICAL SAFEGUARDS
	164.312 (b)	Audit Controls	Required

Risk Management

The objective of risk management is to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

The NIST defines risk as the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. Risk is a function of the likelihood of a given threat-sources exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.

Security professionals generally define risk management as a process for identifying, selecting, and implementing controls, countermeasures, reporting, and verification to achieve an appropriate level of risk at an acceptable cost.

Audit Controls

The objective of the Audit Control standard is to implement hardware, software, and/or procedural mechanisms that record and examine information systems activity that contains or uses electronic protected health information.

Organizations will need to review and deploy mechanisms to record and examine system activity to determine suspicious data activities. The audit capability must enable tracing not just to the device but also to the user. The security policy must hold individuals responsible for their actions. The policies lead to procedures to follow in the event of audit alarms or discrepancies.

Audit controls may apply to a system, a network, an application or any other technical process. The Covered Entity should specify how long the organization will retain the audit log data. The required retention period for the audit log data should be adequate to investigate instances of inappropriate access.

The organization should define who may access the systems audit log data and provide for secure storage and protection of the system log data, especially for data that contain protected health information. Audit trails may become evidence in legal proceedings, so care should be taken to protect their integrity in order to preserve their usefulness for such purposes.

Evaluation

The objective of the Evaluation standard is to perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

It is required that Covered Entities periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity’s security policy and the requirements of the Security Rule. Covered Entities must assess the need for a new evaluation based on changes to their security environment since their last evaluation. This evaluation may be performed internally or by an external accrediting agency, acting as a Business Associate. The evaluation would be to both technical and non-technical components of security.

Strong audit trails are a critical component of an organization’s security strategy and help the entity ensure confidentiality, integrity and availability of e-PHI and other vital information and prevent any HIPAA law violations.

HIPAA Audit Checklist released by DHHS' Office of e-Health Standards and Services

Sample - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Audit Reviews

1. Personnel that may be interviewed :

President, CEO or Director

HIPAA Compliance Officer

Lead Systems Manager or Director

Systems Security Officer

Lead Network Engineer and/or individuals responsible for:

• administration of systems that store, transmit, or access Electronic Protected Health Information (EPHI)
• administration systems networks (wired and wireless)
• monitoring of systems that store, transmit, or access EPHI
• monitoring systems networks (if different from above)
• Computer Hardware Specialist
• Disaster Recovery Specialist or person in charge of data backup
• Facility Access Control Coordinator (physical security)
• Human Resources Representative
• Director of Training
• Incident Response Team Leader
• Others as identified…


2. Documents and other information that may be requested for investigations/reviews

a. Policies and Procedures and other evidence that address the following:


• Prevention, detection, containment, and correction of security violations
• Employee background checks and confidentiality agreements
• Establishing user access for new and existing employees
• List of authentication methods used to identify users authorized to access EPHI
• List of individuals and contractors with access to EPHI to include copies of pertinent Business Associate agreements
• List of software used to manage and control access to the Internet
• Detecting, reporting, and responding to security incidents (if not in the security plan)
• Physical security
• Encryption and decryption of EPHI
• Mechanisms to ensure integrity of data during transmission - including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives)
• Monitoring systems use - authorized and unauthorized
• Use of wireless networks
• Granting, approving, and monitoring systems access (for example, by level, role, and job function)
• Sanctions for workforce members in violation of policies and procedures governing EPHI access or use
• Termination of systems access
• Session termination policies and procedures for inactive computer systems
• Policies and procedures for emergency access to electronic information systems
• Password management policies and procedures
• Secure workstation use (documentation of specific guidelines for each class of workstation (i.e., on site, laptop, and home system usage)
• Disposal of media and devices containing EPHI


b. Other Documents:

• Entity-wide Security Plan
• Risk Analysis (most recent)
• Risk Management Plan (addressing risks identified in the Risk Analysis)
• Security violation monitoring reports
• Vulnerability scanning plans
• Results from most recent vulnerability scan
• Network penetration testing policy and procedure
• Results from most recent network penetration test
• List of all user accounts with access to systems that store, transmit, or access EPHI (for active and terminated employees)
• Configuration standards to include patch management for systems that store, transmit, or access EPHI (including workstations)
• Encryption or equivalent measures implemented in systems that store, transmit, or access EPHI
• Organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI
• Examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures (security awareness training)
• Policies and procedures governing the use of virus protection software
• Data backup procedures
• Disaster recovery plans
• Disaster recovery test plans and results
• Analysis of information systems, applications, and data groups according to their criticality and sensitivity
• Inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI
• List of all Primary Domain Controllers (PDC) and servers
• Inventory log recording the owner and movement media and devices that contain EPHI
• Let us help you in completing your HIPAA compliance with an audit.

View HIPAA Security Policies and Procedures

Please contact us for more information at Bob@hipaatraining.net or call (515) 865-4591