DQS Certification India Private Limited logo afaq-afnor

HIPAA Security Audit

What is HIPAA Security Audit?

The HIPAA Security Rule specifically focuses on the safeguarding of EPHI (Electronic Protected Health Information). All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities:

  • Covered Health Care Providers— Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
  • Health Plans— Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
  • Health Care Clearinghouses— A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice-versa.
  • Medicare Prescription Drug Card Sponsors – A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act. This fourth category of “covered entity” will remain in effect until the drug card program ends in 2006.

Objective of HIPAA Security audit

There are two specific regulations of interest to database professionals: the HIPAA Privacy Rule and the HIPAA Security Rule.

The Privacy Rule protects all individually identifiable protected health information (PHI) maintained by the Covered Entity. It is not specific to electronic information and applies equally to written records, telephone conversations, etc. According to the Department of Health and Human Services, PHI includes data that relates to:

  • the individual’s past, present or future physical or mental health or condition or
  • the provision of health care to the individual or
  • the past, present, or future payment for the provision of health care to the individual

The Privacy Rule’s basic mandate is that organizations may only release PHI as explicitly permitted by the Privacy Rule or with the prior written consent of the individual who is the subject of the records. The Privacy Rule also contains a number of notification requirements and administrative requirements designed to ensure proper records are maintained and that individuals are aware of their rights under HIPAA.

The Security Rule covers the security of electronic protected health information (ePHI). It prescribes a number of required policies, procedures and reporting mechanisms that must be in place for all information systems that process ePHI within the Covered Entity. It also prescribes a number of required and addressable implementation specifications designed to protect the confidentiality, integrity and availability of ePHI within the enterprise. These specifications fall into five categories:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Requirements
  • Policies and Procedures

The key to compliance with the Security Rule lies in the language of the law: implementing “reasonable and appropriate” measures. You should carefully evaluate each of the items your risk assessment identifies as possible security actions against this principle. If you (and your attorney) feel that the measure isn’t reasonable and appropriate when viewed in light of the type of data in question, the size of the business, the potential risk and other circumstances, it’s only necessary to document that rationale.

It’s certainly true that HIPAA has caused database professionals a number of headaches while striving to come into compliance with the law. You should, however, view this as an opportunity to focus on the security of your databases. The procedural requirements of HIPAA only apply to specific PHI/ePHI data, but they’re reliable best practices for all of your data.

HIPAA Security Audit Methodology

HIPAA Compliance - Keys to Effective Policies & Procedures

  • Policies & procedures that are needed to stay compliant with HIPAA rules
  • Specific solutions to your most difficult security & privacy dilemmas
  • Tips on reventing, detecting, containing and correcting security violations

HIPAA Security Audits - What You Need to Know to be Prepared

  • What specific breeches can trigger an audit
  • Specific checklist to help you be audit-ready
  • Real life lessons learned from recent audits

Benefits of HIPAA Security Audit

Significant resources need to be invested over the next several years to achieve compliance with HIPAA legislation and to realize the long term benefits. 

The benefits of HIPAA Security include:-

  • Lowering administrative costs
  • Enhancing accuracy of data and reports
  • Increasing customer satisfaction
  • Reducing cycle time and improving cash management.

How can DQS help your compliance Efforts?

We can help you in three different ways depending on your need, involvement, time, available IT resources and budget.

OPTION 1: If you are in a hurry to complete the HIPAA Security Audit and you don’t have internal resources to completely devote to this project then we can independently complete the project for you. The only involvement required will be providing information about your infrastructure, policies and processes.

OPTION 2: If you have internal staff members who can completely devote their time and security & HIPAA knowledge to this project but don’t know the methodology, we will provide a project manger to work with your team and help completing the compliance project.

OPTION 3: If you have all the necessary resources for HIPAA Security Audit project but need to save time on documentation, you can use our HIPAA Risk Anal Security Audit template documents. These templates will ensure that you gather all the required information before starting the project. The finding and recommendations will be mapped to the HIPAA regulations. Many IT Security consulting companies and HIPAA consultants are using our HIPAA Security Audit templates in their projects to save time and present the findings and recommendations mapped to HIPAA regulation

OPTION 4: Our Methodology of Assessment is Plan, Audit, Execute and Manage

Contact us

Please feel free to contact us. We are looking forward to hearing from you!

Rajendra Khare
MD
DQS Certification India Private Limited
Mobile: +91-9810268573
Phone:  +91-11-27025910
e-mail: rkhare@dqsindia.com

Please note: Email communication would be preferred mode of communication.

See Also:

 

YOUR SUCCESS IS OUR GOAL