Facing a HIPAA Audit? Here is What Auditors Want

The HHS Office for Civil Rights, once again, is promising that its expanded HIPAA privacy/security/breach notification audit program will soon start.

There are a lot of issues OCR looks for during an audit and its protocols are available here. But, as the cyber threat continues to intensify, the feds are taking a closer look at the security posture of healthcare organizations’ business associates and subcontractors. “Our vendors might be the path of least resistance for these incidents,” said Joseph Kirkpatrick, managing partner in the security compliance assessment services unit of accounting firm KirkpatrickPrice, during a presentation at last week’s AHIMA 2015 Convention.

Hackers know that many business associates are a weak link in the security chain. OCR also knows that, as do multiple state attorneys general who are conducting their own HIPAA compliance enforcement activities.

Also See: Hacker Identifies Glaring Holes in Network Security

In the past, a healthcare organization could manage its vendors by contract—stipulating what security provisions a particular business associate is responsible for. Now, Kirkpatrick said, hiding behind a contract won’t work anymore. Providers and insurers need to take full custody by closely overseeing relationships with vendors, knowing where their data is, how it is secured and where it is going. The bottom line: Courts want to see proper oversight and it is the customer’s responsibility to ensure its vendors and subcontractors are compliant not just on paper but in practice.

And those vendors include your law firm, which can have its own share of security deficiencies, Kirkpatrick said. Lawyers don’t like to be called vendors or business associates, but they are and they must sign business associate agreements. You should require your law firm to show evidence of conducting vulnerability assessments, and training employees on security awareness so they are not linking on phishing emails.

That said, a healthcare organization likely cannot evaluate a law firm to the same extent as other vendors as attorneys work under specific professional standards that limit the sharing of information. But you can make sure their security technology is up to expectations and if not, can file a complaint with the local bar association, in which case the firm could lose some certifications, Kirkpatrick said.

For all business associates, you should ask for proof of cyber insurance, which should be customary especially now that it is quite affordable. The beauty of insurance, Kirkpatrick said, is that if there is an incident, insurers will conduct an investigation and you can require business associates and subcontractors to share the findings.

What Auditors Want

Too often, a government or private auditor will ask how an organization is ensuring vendor security compliance and be handed a policy to read. What they want is to be shown how vendors are being monitored.

In particular, auditors have several questions you can be sure they will ask and want proof:

* Do you know the name of your business associates and their subcontractors?

* Do you address the risks of subcontractors?

* Do your policies define permissible uses and disclosures of protected health information?

* Do your agreements require business associates to provide evidence of appropriate safeguards? How do you determine what is appropriate?

* Do you have a defined incident response procedure?

* Do you require the BA to provide auditors with all necessary documentation in case of an audit?

* Does your business associate agreement have teeth, with termination an option in case of violations?

* Do you make clear that the vendor is responsible for telling you if there is a breach?

For reprint and licensing requests for this article, click here.