HIPAA security audits require the auditor to pay attention to the prevailing general conditions or stipulations that may impact the audit plan, as well as how existing controls and methods address each of the 42 security standards. In terms of IT, auditors need to review the organization’s use of appropriate controls to ensure the protection of personally identifiable health information. The following list provides useful information auditors should keep in mind during Security Rule audits:
• The HIPAA Security Rule is tied directly to the HIPAA Privacy Rule and incorporates elements of the Privacy Rule through cross referencing. For instance, the requirement found in paragraph 164.530 of the Privacy Rule deals with policies and procedures, including IT, and is carried forward in the Security Rule in its requirement for appropriate policies and procedures and in the retention period for them.
• The Security Rule’s scope is corporatewide and applies to the implementation of security standards in all relevant business processes, not just IT.
• The Security Rule represents a minimum set of security standards organizations must have in place for compliance. Many businesses have processes and requirements that are unique to the way they do their work. As a result, appropriate additional IT controls and procedures should be in place.
• The Privacy and Security rules incorporate the extension of adopted IT and other standards to business partners through the formal Business Associate Agreement process. This is a formal standard stated in both rules. The standards for privacy and security are found in the Privacy Rule and Security Rule, respectively.
• The standards found in the Security Rule and the company’s implementation of corresponding IT and other controls must be based on the results of periodic risk assessments conducted by the company. The results of these risk assessments will help the auditor determine the effectiveness of companywide information security efforts to protect business assets.
What auditors should keep in mind while Security Rule Audits?
HHS getting stricter at business process failures causing HIPAA violations
U.S. Department of Health and Human Services made two announcements last month: 1. It had imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for violating the Health Insurance Portability and Accountability Act’s privacy provisions. 2. The Massachusetts General Hospital had agreed to pay HHS a total of $1 million to … Continue reading
Official announcement made for the training of state attorney generals to file federal lawsuits
It was recently announced that training for state attorneys general on how to file a HIPAA federal civil lawsuit will be offered this spring. Thought the HITECH Act enabled state attorneys general to file the federal lawsuits, not many such actions have been taken apart from a few cases like the lawsuit filed by former … Continue reading
Is your sensitive medical data secured with your web application?
Big organizations often need web applications to handle and manage their medical information but with strict HIPAA compliance Rules, the healthcare providers need to ensure that they are entrusting their sensitive PHI data to vendors and partners who are as vigilant as they themselves are in protecting PHI. As such when choosing your web designer … Continue reading
Knowing about Patient Safety and Quality Improvement Act
The regulation implementing the Patient Safety and Quality Improvement Act of 2005 (PSQIA) was published on November 21, 2008, and became effective on January 19, 2009. PSQIA establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of … Continue reading
Knowing about Advanced Encryption Standard (AES)
HIPAA data encryption standards require health care providers, health insurance companies and business associates who transmit, store or access protected health information in electronic form to utilize a standardized level of data encryption. The Advanced Encryption Standard (AES) is Federal Information Processing Standards (FIPS) approved cryptographic algorithm used to protect electronic data and is quite … Continue reading
Exceptional cases when PHI may be disclosed by healthcare professionals
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has Privacy Rule to ensure the protection of a patient’s health information. However, there are certain exceptions to the confidentiality: 1. If a state or federal law authorizes medical disclosures, then the HIPAA privacy rule does not apply. For instance, if paternity of a child … Continue reading
The five titles which make up HIPAA
The HIPAA law was enacted to improve the efficiency and effectiveness of the American health care system. The law includes administrative simplification provisions to establish standards and requirements for the electronic transmission of certain health care information. It also requires organizations exchanging information for health care transactions to follow national implementation guidelines. To meet these … Continue reading
What are the HIPAA Notice Requirements?
HIPAA has various notice requirements as part of its regulatory scheme. The Department of Labor publishes a Compliance Assistance Guide that organizes the notice requirements in HIPAA into a chart, applicable as of October 2010. Various requirements under HIPAA Notice can be listed down as: HIPAA Certificate of Creditable Coverage The HIPAA certificate of creditable … Continue reading
SecureGRC SB™ from eGestalt to help small businesses with HIPAA & HITECH compliance
eGestalt is a provider of information technology governance, risk management and compliance (IT-GRC) solutions for small to mid-size organizations. eGestalt, headquartered in Santa Clara, California, and has offices in US, Asia-Pacific and Middle East., has announced the U.S. availability of SecureGRC SB™, a patent-pending Cloud computing and Software-as-a-Service (Saas) application that helps to meet HIPAA … Continue reading