HIPAA audits follow a documented protocol to analyze processes, policies, and controls put in place by Covered Entities. Although no two HIPAA audits are exactly the same, the protocol is documented here, at the HHS website.
What is the focus of a HIPAA audit?
The HIPAA audit protocol is enacted either through a randomized audit, such as those coming in October of 2014, or through a focused audit brought forth by a complaint by a patient, employee, or other entity. In either event, the first piece of documentation that must be made available to the auditors is your internal Risk Assessment. Your risk assessment should have complete and detailed documentation of your security process – dates of security hole discovery, process to fix the issue, and resolution status of the issues.
It doesn’t end with your own risk assessment, however. During a HIPAA audit, auditors will be creating their own risk assessment of your policies & procedures, the controls on your patients’ data, and your workflow to determine possible weak points in the security of your patients’ information.
Auditors will also ask for your Security Management Process. It is important to note that there is no specific piece of hardware or software that is needed for data security; however, specific policies and procedures must be carried out that enforce encryption, employee access levels, and the ability to create audit trails of employee activity both in-and-out of your practice management database. The auditors may also run a scan of your network to determine holes or security risks caused by unpatched software, open ports, or passwords which are older than the maximum age allowed.
Audit Trails:
The absolute most important aspect of HIPAA compliance is the ability to create audit trails of your staff’s activity, both in-and-out of your practice management software. This means that not only do log-ins and patient-lookups need to be logged on your server, but actual log-ins to the individual PC’s and transfers of data must also be logged. This might seem like a tall order, but the solution is easier than you think. A Windows Server can adequately create audit trails, enforce password protocols, encrypt vital data, and encrypt your network communications. Without a Windows Server, audit trails are a harder goal to reach, especially in offices with more than a few employees.
Audit trails are especially necessary when malware is involved. It is important to remember that the strongest security and anti-virus software you can find can still be circumvented by a misclick of an employee. Even tech-savvy employees can fall victim to such a misclick, since many malware installation requests are disguised as a Windows Error window, a speed issue, or some pending update. If malware is installed accidentally, and it leads to a breach of data, then the OCR will begin a HIPAA audit and ask for detailed audit trails of your staff.
HHS Hosts the HIPAA Audit Program Protocol Online.
Take a few moments to browse the Audit Protocol on the HHS website. At dmi Networking, Inc., we have direct expertise with HIPAA and can help during a HIPAA audit. Our dental technician team and HIPAA compliance consultant are here to help dental offices through understanding and implementing protocols regarding compliance, and is offering free HIPAA consultations in the Bay Area and beyond.