What auditors should keep in mind while Security Rule Audits?

HIPAA security audits require the auditor to pay attention to the prevailing general conditions or stipulations that may impact the audit plan, as well as how existing controls and methods address each of the 42 security standards. In terms of IT, auditors need to review the organization’s use of appropriate controls to ensure the protection of personally identifiable health information. The following list provides useful information auditors should keep in mind during Security Rule audits:
•    The HIPAA Security Rule is tied directly to the HIPAA Privacy Rule and incorporates elements of the Privacy Rule through cross referencing. For instance, the requirement found in paragraph 164.530 of the Privacy Rule deals with policies and procedures, including IT, and is carried forward in the Security Rule in its requirement for appropriate policies and procedures and in the retention period for them.
•    The Security Rule’s scope is corporatewide and applies to the implementation of security standards in all relevant business processes, not just IT.
•    The Security Rule represents a minimum set of security standards organizations must have in place for compliance. Many businesses have processes and requirements that are unique to the way they do their work. As a result, appropriate additional IT controls and procedures should be in place.
•    The Privacy and Security rules incorporate the extension of adopted IT and other standards to business partners through the formal Business Associate Agreement process. This is a formal standard stated in both rules. The standards for privacy and security are found in the Privacy Rule and Security Rule, respectively.
•    The standards found in the Security Rule and the company’s implementation of corresponding IT and other controls must be based on the results of periodic risk assessments conducted by the company. The results of these risk assessments will help the auditor determine the effectiveness of companywide information security efforts to protect business assets.