HIPAA Audit Management Program

1. Makes assessments on whether all vulnerabilities have been taken care of
2. Make verifications on if all the compliance requirements are up to standard.

• administration of systems that store, transmit, or access Electronic Protected Health Information (EPHI)
• administration systems networks (wired and wireless)
• monitoring of systems that store, transmit, or access EPHI
• monitoring systems networks (if different from above)
• Computer Hardware Specialist
• Disaster Recovery Specialist or person in charge of data backup
• Facility Access Control Coordinator (physical security)
• Human Resources Representative
• Director of Training
• Incident Response Team Leader
• Others as identified…
• Documents and other information that may be requested for investigations/reviews

• Prevention, detection, containment, and correction of security violations
• Employee background checks and confidentiality agreements
• Establishing user access for new and existing employees
• List of authentication methods used to identify users authorized to access EPHI
• List of individuals and contractors with access to EPHI to include copies of pertinent Business Associate agreements
• List of software used to manage and control access to the Internet
• Detecting, reporting, and responding to security incidents (if not in the security plan)
• Physical security
• Encryption and decryption of EPHI
• Mechanisms to ensure the integrity of data during transmission – including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives)
• Monitoring systems use – authorized and unauthorized
• Use of wireless networks
• Granting, approving, and monitoring systems access (for example, by level, role, and job function)
• Sanctions for workforce members in violation of policies and procedures governing EPHI access or use
• Termination of systems access
• Session termination policies and procedures for inactive computer systems
• Policies and procedures for emergency access to electronic information systems
• Password management policies and procedures
• Secure workstation use (documentation of specific guidelines for each class of workstation (i.e., on-site, laptop, and home system usage)
• Disposal of media and devices containing EPHI

• Entity-wide Security Plan
• Risk Analysis (most recent)
• Risk Management Plan (addressing risks identified in the Risk Analysis)
• Security violation monitoring reports
• Vulnerability scanning plans
• Results from the most recent vulnerability scan
• Network penetration testing policy and procedure
• Results from a most recent network penetration test
• List of all user accounts with access to systems that store, transmit, or access EPHI (for active and terminated employees)
• Configuration standards to include patch management for systems that store, transmit, or access EPHI (including workstations)
• Encryption or equivalent measures implemented in systems that store, transmit, or access EPHI
• Organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI
• Examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures (security awareness training)
• Policies and procedures governing the use of virus protection software
• Data backup procedures
• Disaster recovery plans
• Disaster recovery tests plans and results
• Analysis of information systems, applications, and data groups according to their criticality and sensitivity
• Inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI
• List of all Primary Domain Controllers (PDC) and servers
• Inventory log recording the owner and movement media and devices that contain EPHI
• Let us help you in completing your HIPAA compliance with an audit.

View HIPAA Security Policies and Procedures

The OCR Audit Process

The Office for Civil Rights has published the audit protocols for Privacy and Security. For Covered Entities and now Business Associates alike, there is no longer any reason to delay establishing full compliance. The recently issued Omnibus Rule makes clear that enforcement of HIPAA compliance standards has arrived and will be vigorously pursued. Penalties and fines will be forthcoming for those that put off establishing compliant operations and the now published Privacy and Security Audit Protocols make equally clear what each entity can expect.

We have taken these protocols and molded them into our collaborative, consultative process. This ensures that we obtain all the required information but in a manner that is neither painful nor adversarial. Our goal is to gain the facts and insight through which to tailor changes to your work processes to bring them smoothly into compliant performance. The result is constructive changes and adjustments where and as needed with minimal disruption.

Our Audit Process

OCR does not need to understand your environment: they simply need to confirm that you are doing all you are required to do, and find you if you aren’t. They have no interest in your operations beyond this determination and result. Other audit firms are likewise driven. Neither is concerned with the burden this can create, or whether any efficiencies can be cogenerated along with achieving compliance to offset it. This is precisely where we are different from all the rest. We do care.

We understand the escalating costs you face, the mounting bureaucracy of regulations and paperwork, the increased drive to automate, and the disruptive change that can cause. Most firms grasp this because they have no direct experience themselves. We know the challenges you face because we have been there ourselves. That is why we work with and for you to achieve these goals: get you compliant and set it up to stay that way by building it into your processes.

Our techniques are the industry-standard, time-proven methods used by all firms:

We interview your in-house experts to determine their knowledge, awareness, and engagement with the importance of these requirements to gain a sense of the environment. We share with them our knowledge of the regulations to enhance their knowledge.

We examine your policy and guidance documentation to ensure that the regulatory requirements and properly embodied in them so that you have established the correct framework for performance, internal enforcement, and corrective action when needed.

We observe your staff at work as part of our gaining familiarity with your environment and to ensure that what we found in your documentation we actually find being practiced by your workforce.

We substantively test various parts of your automated systems to ensure that the stated specifications to support privacy and achieve the requirements of the Security Rule are in place and functioning correctly.

Our process verifies that all the requirements are being met regularly and reliably so that your expectations are being met and so that you can be confident in knowing rather than trusting that things are working properly.