Introduction
Navigating the intricate landscape of healthcare data management requires adherence to HIPAA regulations and robust cybersecurity measures. Whether you’re a market-leading VA provider or a new agency, receiving an information request from the Office for Civil Rights (OCR) can throw a wrench into the works. With cyberattacks targeting healthcare being at an all-time high, any unfortunate event can trigger a HIPAA audit for you as a business associate (BA) to covered entities like practices, hospitals, and clinics.
If your team of virtual medical assistants (VMAs) is routinely compliant in how they access and handle ePHI and PII, you’re much less likely to receive a communique from the OCR. Yet, in the odd chance that you do, here’s how you can prepare for it, pass it with flying colors, and dodge any HIPAA breach penalties along the way.
Let’s begin.
Note: Do VMAs fall under the HIPAA Business Associate Compliance?
Yes, as of 2013, since VMAs offer covered entities with services across data aggregation, management, and administration, they are required to comply with the Security, Privacy, and Breach Notification Rules – with a possible penalty of up to $50,000 per violation.
In September 2020, CHSPSC, a service provider to hospitals indirectly owned by Community Health Systems, paid $2.3 million in penalties to the OCR following an audit that found longstanding, systemic noncompliance with HIPAA resulting in a breach of 6 million patients in 2019.
What is a HIPAA Compliance Audit?
A HIPAA compliance audit evaluates compliance with the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act (HIPAA). This is a federal law setting national standards for safeguarding personal health information (PHI) and electronic health information (ePHI).
This audit is conducted annually by the US Health and Human Services (HHS) Office for Civil Rights (OCR) and it assesses how covered entities or business associates manage both PHI and ePHI. The act has also laid out the 18 identifiers for PHI including data that identifies individuals electronically or in print, such as names and health details.
The audit process entails a comprehensive review of an organization's HIPAA compliance policies, procedures, and safeguards—both physical and technical—protecting patient data.
While third-party auditors or internal departments may also perform HIPAA audits, these lack official status and carry less weight than OCR audits. Typically, they serve a proactive role in information security risk management by identifying and addressing potential issues before they escalate.
8 things that can trigger a HIPAA audit for a BA
What will be audited - the documents you will need on hand
What the OCR auditor will ask you to present will largely depend on what triggered the HIPAA audit, yet anything under the sun can be up for scrutiny. Generally speaking, your company should be able to present demonstrable evidence of compliance through and through. Some evidence that can support your claim can include:
- Policy Documentation: Record of policies addressing compliance with the Privacy, Security, and Breach Notification Rules.
- Incident Records: Documentation of incidents, breaches, or complaints involving PHI, along with your organization's responses.
- Business Associate Agreements: Agreements outlining your responsibilities in safeguarding PHI and complying with HIPAA.
- Administrative Safeguards: Procedures for managing the security and privacy of PHI, including workforce security training, access controls, and incident response.
- Physical Safeguards: Controls for facility access and workstation security to protect PHI.
- Technical Safeguards: Measures like access controls, encryption, and audit logging to prevent unauthorized access or disclosure of PHI.
How To Prepare for a HIPAA Compliance Audit?
As with everything, the best way to pass a HIPAA compliance audit is to be ready before it knocks on your door. This makes it important to weave compliance and documentation in your team’s day-to-day.
Leveraging HIPAA-compliant tools can also be instrumental in seamlessly integrating HIPAA compliance into your daily operations and preparing for potential audits. By integrating such tools into your workflow, you not only enhance data security but also simplify documentation and reporting tasks, laying a solid foundation for continuous compliance.
Here are the 10 steps that can help you pass with excellence:
Step 1: Appoint a HIPAA Security and Privacy Officer:
The Privacy Officer assumes a critical role in staff training, HIPAA compliance, and privacy practices oversight. In larger organizations, this role may be split, with an Information Security Officer overseeing security initiatives. These officers are pivotal in establishing and enforcing a comprehensive HIPAA compliance program.
The primary duties of a HIPAA privacy and security officer include:
- Development and supervision of privacy policies and procedures.
- Ensuring the adequacy of security policies and procedures to safeguard the organization's PHI and creating new ones as needed.
- Conducting annual training and monitoring of the organization's workforce on HIPAA regulations.
- Investigating potential breaches involving ePHI or PHI.
- Establishing policies and procedures for protecting PHI in cases where privacy policies are insufficient.
When choosing a candidate for this role, consider their experience, technical expertise, and ability to effectively communicate with staff and executives. Remember that this officer will serve as the point of contact with the OCR during audits.
Step 2: Provide HIPAA Training for Employees to Foster Compliance:
Your team of VMAs must know HIPAA regulations in detail along with the consequences of non-compliance. Comprehensive training ensures that all employees within your organization are well-informed about recent legal updates and best practices around safeguarding PHI.
To achieve this goal, start by offering educational materials and training to all employees, covering topics such as patient rights and the handling of confidential information. Ideally, new employees should receive training shortly after they join.
Here is a checklist of what your HIPAA training program should accomplish:
- Ensure employees understand the significance of HIPAA and the reasons for protecting PHI.
- Review the fundamental principles of HIPAA law and its relevance to your organization.
- Outline specific procedures and controls for handling patient information.
- Explain the repercussions of violating HIPAA regulations.
- Ensure employees stay informed about the latest changes in HIPAA through regular training sessions.
Here are the 5 top-rated HIPAA training programs out there, as reported by "The Balance".
Step 3: Create a Risk Management Plan and Conduct a Risk Analysis:
Conducting a security analysis is the next step in identifying potential vulnerabilities. Since each organization is unique, risk assessment processes can vary to accommodate size, risks, and business requirements.
Here are five steps to conduct a risk assessment:
Note: It is imperative to maintain thorough documentation of your organization's risk assessments and HIPAA risk analysis to present during audits.
- Document PHI storage locations as you map the flow of PHI, identifying where it is generated, transmitted, stored, and where exits the system.
- Identify threats, risks, and vulnerabilities in your systems, applications, and processes, considering factors like hackers, weak passwords, and disgruntled employees who may want to harm you.
- Assess and analyze your organization's HIPAA risk level, factoring in the probability of threats occurring and their potential impact.
- Develop a risk management plan and test your environment through vulnerability scans, penetration tests, and gap analyses.
- Document and detail everything.
Proactive risk management ensures the safety and security of patient information stored in HIPAA-compliant software, contributing to a successful HIPAA audit.
Step 4: Implement Periodic Review of Policies and Procedures:
Policies and procedures are only good if they’re regularly reviewed and refined to meet the changing times. The OCR will assess how your policies are put into practice and examine your progression plan to gauge your progress in implementing new programs or policies. So, be sure to define procedures for handling requests related to privacy protection, access, correction, and transfers of PHI. This includes procedures for verifying requester identities, assessing request validity, and maintaining an accounting of disclosures.
Step 5: Maintain HIPAA Audit Logs:
It’s important to implement mechanisms to continuously record and monitor activity within systems containing ePHI, as mandated by the Security Rule. Audit logs aid in tracking user access, detecting security breaches, and investigating unauthorized activities - which can be your golden key to ensuring compliance.
Here are the 3 types of audit logs you need to have, as per HIPAA regulations:
- Application Audit Logs: To record user activity for people using any application, be it on-premises or the cloud to monitor how files are opened, closed, created, edited, and deleted.
- System-level Audit Logs: To record system-wide events, including system shutdowns or reboots, user authentication and authorization, and resource access by specific users.
- User Audit Logs: To record user activity including access to PHI and any system commands executed by that user.
At PureDome, we have provided extensive admin and application audit logs to companies like HelloRache to help them authenticate and authorize their VMAs and track how they access various cloud-based applications.
Step 6: Enforce Role-Based Access Controls (RBAC):
Restricting data access to job-specific needs is a surefire way to minimize unauthorized ePHI access. RBAC enhances data protection, streamlines management, and fulfills HIPAA requirements in one quick move. A network security solution that delivers ZTNA can further ensure this by verifying each user against strict identity and device health checks before offering them the least privileged access to your network and applications.
Step 7: Review Business Associate Agreements (BAAs):
Your BAAs are your holy grail to maintaining trust with the covered entities you’re working with and safeguarding you from future liabilities that come with non-compliance to HIPAA - if you adhere to it of course. Regularly review and update BAAs to align with current HIPAA requirements to ensure comprehensive data protection.
Step 8: Enhance Network Security:
When it comes to cyberattacks, healthcare and IT data are the highest at risk. This makes it paramount that you implement advanced security measures, including firewalls, intrusion detection systems, encryption, network segmentation, and multi-factor authentication on the user, device, and application level. Regular security assessments bolster the overall security posture of your company and keep you consistently HIPAA compliant.
To mitigate security risks, healthcare organizations can greatly benefit from investing in a robust zero-trust security strategy that focuses on verifying and validating every user and device trying to access sensitive data, providing an extra layer of protection.
Step 9: Conduct Internal Audits (Regularly):
Conducting an internal audit helps identify potential risks or instances of non-compliance, saving you both time and money. Internal audits aim to pinpoint areas where answers are needed and procedures can be updated. Areas of review may include:
- Technical safeguards for ePHI protection.
- Physical security for paper files.
- Monitoring HIPAA policy adherence.
- Assessments of security effectiveness.
- Preparedness for official HIPAA audits.
Step 10: Develop an Internal Recovery Plan:
A critical component of HIPAA auditing is having a plan in place for subsequent steps following a data breach or other violations. This internal recovery plan should outline specific actions to address and rectify breaches and steps to prevent future occurrences.
For instance, the plan may encompass notifying affected individuals, reporting the incident to relevant authorities, conducting a risk assessment, implementing additional security measures, and providing staff training on compliance protocols.
Establishing an effective internal recovery plan can mitigate damage in the event of a HIPAA violation and demonstrate an ongoing commitment to compliance during audits.
What really happens when you’re approached for a HIPAA audit?
The bottom line? Your best bet is to consistently review and update your HIPAA policies and procedures, train staff on security measures, and promptly address any reported issues.
How much does a HIPAA audit cost?
The good news is that there are no direct costs associated with an official HIPAA audit conducted by the OCR as the HHS bears the entire cost of conducting it. However, you may have to bear some indirect costs in the way of preparing for your audit, like hiring consultants or the opportunity cost of allocating staff’s time and resources on the project.
According to ZipRecruiter, the average cost of hiring a HIPAA consultant in the United States is just under $50 an hour.
If you choose to conduct an internal audit by an external auditor, it can set you back by anywhere between $4,000 to $78,000+ depending on your organization’s size and your current environment. Of course, this depends entirely on the scope of your audit, how big your company is, how many locations you have, and how complex your network is.
How long does a HIPAA audit take?
A HIPAA audit can last anywhere from a few weeks to several months depending on:
- What is the scope of the audit.
- What is the size and complexity of the organization undergoing the audit.
- Whether or not there are any external entities present that can add complexity and extend the investigation.
As mentioned above, the OCR usually provides an advance notice before initiating an audit that contains information about the audit's purpose, scope, and expected duration. The OCR may also conduct follow-up audits to ensure that you’ve successfully implemented the required corrective measures, but this is subject to the severity of any identified issues. Regardless, this can add to the time.
How PureDome Simplifies HIPAA Compliance for VMAs with Secure Remote Access Solutions
With medical practices becoming more open to hiring virtual assistants to manage mundane tasks, owing to their lower hourly wage and higher efficiency, it’s become imperative that remote staffing companies prioritize HIPAA compliance across the board as they grow.
With PureDome's static IP solution, fortified by advanced encryption protocols, customers have ensured the highest level of security during global data transmissions. They have also eliminated the hassles of frequent ISP engagements to enable seamless and secure healthcare workflows. By leveraging our powerful device posture checks, ID provider integrations, and robust admin panel, our customers have successfully streamlined operations and met HIPAA compliance requirements. You can too.