The HIPAA security audit requirements are that covered entities and business associates conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Although there is not a specific section of the Security Rule dedicated to HIPAA security audit requirements, §164.306 of the Security Rule states covered entities and business associates are required to ensure the confidentiality, integrity, and availability of PHI, protect against any reasonably anticipated threats or hazards to the security of PHI, and protect against any reasonably anticipated uses or disclosures of PHI not permitted by the Privacy Rule.
The way to comply with this standard is to create an audit of where PHI originates, where it is stored, and how it is used or disclosed. Thereafter, it is necessary to identify potential risks and vulnerabilities, assess the likely impact of the risks and vulnerabilities, and implement measures to reduce the likelihood of the risks and vulnerabilities occurring. As a summary, these are effectively the HIPAA security audit requirements in their entirety.
However, complying with the HIPAA security audit requirements is not straightforward. There may be difficulties in auditing PHI if teams within an organization use unsanctioned software (“Shadow IT”) to collect, receive, store, or transmit PHI. When identifying potential risks and vulnerabilities, you must also consider business associates, subcontractors, and insider threats attributable to malicious actors, carelessness, and a lack of knowledge.
HIPAA Security Audits and the Flexibility of Approach
It is also the case that the HIPAA Security Rule allows a “flexibility of approach”. This gives covered entities and business associates a degree of discretion in deciding how PHI is audited and what security measures are implemented according to:
- The size, complexity, and capabilities of the organization.
- Its existing technical infrastructure, hardware, and software security capabilities.
- The cost of the security measures.
The flexibility of approach opens a massive can of worms with regards to complying with the HIPAA security audit requirements. If, for example, a healthcare organization operates using a patchwork of unconnected legacy systems, it may not be possible to determine where PHI originates and is stored, or how it is used and disclosed. The organization may also use multiple types of security solutions, and could find it too expensive to replace its existing infrastructure.
However, the complexity of compiling a HIPAA security assessment checklist and the cost of security measures to fill gaps on the checklist does not absolve an organization from making a good faith effort to comply with HIPAA. The requirements of §164.306 do not come with the proviso “if you can”; and HHS’ Office for Civil Rights does not look kindly on organizations that have made no attempt to comply with HIPAA due to “willful neglect”.
How to Comply with the HIPAA Security Audit Requirements
The way to comply with the HIPAA security audit requirements is to create a compliance team under the control of the Privacy and Security Officers. The team should be comprised of members of the workforce with different roles in the organization (i.e., nursing, administration, payments, IT, HR, legal, etc.) so it is possible not only to determine what systems are being used to create, receive, store, and transmit PHI, but also how they are being used.
Understanding how systems are being used will enable Security Officers to resolve issues with unconnected legacy systems. Similarly, understanding how systems are being used will enable Privacy Officers to identify potential compliance failures that could easily be resolved by a change to policies and procedures and/or HIPAA training. These measures will not only reduce complexity and increase HIPAA compliance, but will also reduce the cost of HIPAA compliance.
Thereafter, it will be easier to create a holistic audit of where PHI originates, where it is stored, and how it is used or disclosed. This will make it easier to identify potential risks and vulnerabilities and make decisions about what security measures would be best to reduce the risk of HIPAA violations and data breaches. Organizations who need further advice about creating a compliance team, compiling a HIPAA security assessment checklist, or complying with the HIPAA security audit requirements are advised to seek professional compliance help.
