HIPAA Audits: The Proof Is in the Process

April 1, 2021
April 1, 2021

This blog post is taken from a recent Webinar featuring Marti Arvin, Vice President of Audit Strategy at CynergisTek.

A cornerstone of auditing HIPAA compliance is the existence of a clear and established process. If you haven’t done so recently, consider revisiting your process for auditing employee access to PHI. OCR requires you to demonstrate you have a strong process that assures prompt investigation and notification in no more than 60 days after the discovery of inappropriate access. You must document not only your findings, but also your process for conducting the audit. You will be expected to demonstrate a labor-intensive auditing process, unless you have technology tools to assist you.

Making Tough Choices

I often hear, “We don’t have money to buy that technology or software. We don’t have money to hire the people to do this.” That will never be an adequate explanation for OCR. You’re in the healthcare business, and under current regulations, there is an expectation you will do what is necessary to protect the data of the individual. Organizations must make the technology and administrative choices necessary to mitigate their risks. The technology and staffing I used at UCLA may not be the same as yours. What’s important is the result.

For example, you may have established a process that routinely reviews the volume of records reviewed by employees. If Marti normally has access to 50 patient records a day, and suddenly she’s looking at 200 records a day, why is that? Did Marti have an assigned special project she was working on, or was she doing something else? Was she doing something nefarious? Was she selling patients’ identities or allowing someone else to steal identities? You must have a structured process for auditing employee access.

When your audit process identifies anomalies, ensure you investigate them promptly and thoroughly. The review must determine whether the anomaly is harmless and appropriate, providing the reasons why, or whether it’s an inappropriate anomaly that must be reported. Your process should be ongoing and repeated as needed.

Risk Analysis

You must also perform a periodic risk analysis. How often is often enough? The industry standard is at least once every three years, and I recommend this as a minimum. The OCR phase two audit process includes a security provision requesting that organizations provide them with both the prior and most recent risk assessments. They want to examine the time frame between issues you identified in the prior assessment and in the most recent. They want to see evidence you have mitigated any identified risk or evidence the mitigation is well underway.

You may think, for example, people transferring PHI to a thumb drive is a threat to your organization. One solution might be installing software that encrypts anything transferred to a thumb drive. Alternatively, you may disable USB drives so no one can download data to a thumb drive. Those are two very different but acceptable ways of handling the same issue. In either case, you’ll be expected to repeat the risk analysis to evaluate whether your remediation is working and to address any new risks to the environment.

If you make the tough choices, you can sleep well, knowing you have a solid process for assuring HIPAA compliance.

Watch the full Webinar here.