HIPAA

Annual HIPAA Audit

  • 1.  Annual HIPAA Audit

    Posted 06-01-2020 05:36 PM
    Good Evening-

    Is an annual HIPAA audit conducted by a third party, a legal or regulatory requirement for a healthcare entity? Or is it rather just a best practice to conduct an audit annually whether by a third party or internally?  Or is it not even an annual thing?

    Thank you!

    Erica

    ------------------------------
    Erica Jansky MS/CCC-SLP, MS/MOB
    Director of QA & Compliance
    CHS Therapy
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: Annual HIPAA Audit

    Posted 06-01-2020 05:52 PM
    I've not heard of an annual HIPAA audit.  There are various self audits that an entity could do internally on an annual basis, but nothing in the way of a legal or regulatory requirement.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: Annual HIPAA Audit

    Posted 06-01-2020 07:40 PM
    Erica...the nice thing is that...from a C&C...if anyone shares with you a different perspective, simply ask them to share their source from the regulations.

    Is an annual HIPAA audit conducted by a third party, a legal or regulatory requirement for a healthcare entity?
    There is no such annual audit required by HIPAA.  The keyword is required and on an annual basis.  There are many auditing options...keyword...options...that organizations exercise and may refer to these as "best practice" etc...but no such audit (done internally or externally) is required in the regs.  Believe me, I have lost count on how many sessions I've attended where people have declared that "annual audits are required".  However, when I and many others in other eGroups have asked (call me out...you know who you are who have asked as well) where these are located, we simply get..."check the regs".  That's the first red flag...and if you or anyone finds something in the regs, please share.

    I would start there and then if people want to start sharing how audits done every X months are a good thing for whatever reasons...great...but let's make sure we are starting from a valid and confirmable starting point.

    Thanks for posting!

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: Annual HIPAA Audit

    Posted 06-01-2020 07:50 PM
    Thank you David and Frank!  I'm not the Privacy Officer yet so HIPAA has not been my focus, but we are working with a vendor that said yes it needs to be done annually so I thought I would reach out here for more insight.

    ------------------------------
    Erica Jansky MS/CCC-SLP, MS/MOB
    Director of QA & Compliance
    CHS Therapy
    ------------------------------

    19th Annual CEI Virtual Conference


  • 5.  RE: Annual HIPAA Audit

    Posted 06-01-2020 08:17 PM
    Erica, I would ask your vendor what "HIPAA audit" they are talking about and ask them to show where it is a requirement.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    19th Annual CEI Virtual Conference


  • 6.  RE: Annual HIPAA Audit

    Posted 06-01-2020 08:31 PM
    That's a good idea David!

    ------------------------------
    Erica Jansky MS/CCC-SLP, MS/MOB
    Director of QA & Compliance
    CHS Therapy
    ------------------------------

    19th Annual CEI Virtual Conference


  • 7.  RE: Annual HIPAA Audit

    Posted 06-02-2020 12:37 AM
    When you get an answer...try to get something relatively specific...not just a reference to the Privacy Rule or section 164.5XX.  In other words, they should be able to show you precisely where the requirement is stated.  Feel free to call me out when you get the answer...as I doubt you will get anything that identifies a requirement and this "requirement" is going to be an interpretation or a "suggestion" but certainly not a requirement.

    Very curious to hear what you find out.

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 8.  RE: Annual HIPAA Audit

    Posted 06-02-2020 10:26 AM
    ​I totally agree that HIPAA does not require an "audit" at any defined frequency.  The HIPAA regulations and/or guidance from OCR require a covered entity to have performed a "current" risk analysis (now I am second-guessing myself whether the HIPAA requirement is for an "analysis" versus an "assessment" - federal regulatory agencies tend to use the terms interchangeably even though there are distinctions, somewhere).  So, if there are significant changes to an EMR system, such as additions of hardware, software, mergers/acquisition with other entities, etc., a risk analysis should be performed on the "current" configuration of the system.

    The above being said, I was talking to our Security Officer, CIO and IT Director recently, and he repeatedly mentioned an annual risk assessment.   I apologize that I cannot direct you to any regulatory citation or guidance document from a regulatory agency.   When he and I flushed that out, he agreed that HIPAA does not contain an annual requirement, but from his IT world perspective/responsibility, there are other requirements that specify annual.  I don't recall for sure, but one of those sources for the annual requirement may be in the recent (May -ish) interoperability final rule that CMS adopted (I don't have a date for its publication in the Federal Register).  A source might also be a NIST recommendation/requirement which we in HIPAA sometimes rely upon or incorporate into our worlds.

    I apologize if I am injecting more confusion but my takeaway is that HIPAA does NOT dictate a frequency for conducting a risk analysis (is this the same as an "audit").  The confusion is that there is another federal healthcare regulation(s) that does specify that an annual risk assessment be conducted.

    ------------------------------
    Scot Houska
    Chief Compliance Officer / Privacy Officer
    Community Hospital
    Grand Junction,CO
    ------------------------------

    19th Annual CEI Virtual Conference


  • 9.  RE: Annual HIPAA Audit

    Posted 06-02-2020 10:37 AM
    What a top tier post...thanks for sharing Scot H.!  A couple of items that may or may not help others which I have found very useful and also helps clear up another misunderstanding that many of us probably hear often.

    Within the HIPAA regs and guidelines:
    risk assessment - the process used to identify if an impermissible is a breach
    risk analysis - the implementation specification used to identify potential risk and vulnerabilities

    NIST uses the term risk assessment in place of "risk analysis" as used in HIPAA.

    Also...and here's a good one....you often will hear people say that because of meaningful use, one has to conduct a risk analysis annually as part of the attestation process.

    At a recent OCR webinar where it was basically a Q&A about SRAs when the ONC revised tool was released, the question of a "requirement" to conduct a risk analysis on an annual basis (which some folks state) came up and the response from the OCR (paraphrased) was that the annual attestation requirement does not require a "redo" of a risk analysis or that a risk analysis be conducted annually.  I had known this for a while, but if folks may want to try to find this, I think OCR posted recordings of the sessions (there were 3) on its website.




    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 10.  RE: Annual HIPAA Audit

    Posted 06-02-2020 09:03 AM
    Erica,

    For me this would be a red flag indicating that I needed to take a closer look at teh vendor. Do they really have the sophisticated knowledge that is required to assist an organization in managing a comprehensive  entity specific  HIPAA compliance program or are they a company that does other things, say, I.T. management, and throw HIPAA in with the mix. There are a lot of consultants out there that saw HIPAA as an easy revenue enhancing up-sell and offer white labeled compliance products. 

    Of course there are other highly competent vendors that use the common terminology, knowing it is not completely true, for marketing purposes. I run in to clients all the time that are skeptical and push back when I say something that is in contrast to the conventional understanding. As an example "Sometimes you are required to e-mail PHI in an encrypted format."  Or, tell a pediatrics practice that the patient's parents may have a HIPAA right to access the patient's health record including reproductive health information, just watch the pitchforks and torches come out. 

    As a more direct answer to your question. Many organizations (including the HCCA) use the term audit for any monitoring activity accomplished outside the organization or business unit.So this vendor may be referring to the HIPAA required Security Risk Assessment. (On this List there is a 'friendly' argument about calling it an Assessment or Analysis but don't get caught up in that) All processes, procedures and activities need to be evaluated and any risks to the privacy or security of PHI in the custody of the covered entity need to be identified. There is a next step but we'll leave that for now. Many venders combine an SRA with what is known as a Gap Analysis which is designed to identify any compliance requirements not being met.

    The Gap Analysis  is a good idea and I would call it a best practice. My recommendation is annually but that is a recommendation not a requirement. The SRA is required initially and it must be up dated on an as needed basis. I do not know of any consultant who is recommending SRAs be updated any less often than annually so one cal call that a common, if not best practice. To be truly complaint with HIPAA A risk analysis should be done for any new process, procedure product, or system introduced that has any interaction with PHI. 

    I could go on for days about this as HIPAA actually excites me but that is the most important information I have about the HIPAA Audit, Assessment, and Analysis.  I hope it is useful. 

    Keep asking questions. We will keep answering and together we will work to ensure better patient care through compliance.

    -Alex- .  

    r
    Alexander I Slosman, MHA, CHC, CHPC



    19th Annual CEI Virtual Conference


  • 11.  RE: Annual HIPAA Audit

    Posted 06-02-2020 09:01 AM
    I've not heard of an annual HIPAA audit, but we do perform an annual security risk assessment (some of our staff still confuse this for a HIPAA audit).

    ------------------------------
    Nellie Lunsford
    Dir of Compliance @ Education
    Chambers Health
    Anahuac,TX
    ------------------------------

    19th Annual CEI Virtual Conference


  • 12.  RE: Annual HIPAA Audit

    Posted 06-02-2020 09:08 AM

    Indeed.  This is likely a semantic issue and those who are stating there is no annual requirement are, while  completely accurate, are also, in my opinion, misleading.  But Frank and I have had this discussion before. :)

    If you participate in CMS p4p programs, you are required to attest, on an annual basis, that you have done a security risk analysis.  Those SRAs include measuring your program against HIPAA Security Rule standards.  

    You are also required to so an assessment whenever you have a material change to your system but most folks don't do it every time IT or one of your vendors change something but instead do so on an annual basis.

    So, yeah, there is no requirement under HIPAA to do an annual assessment but you are likely required to assess against HIPAA on an annual basis. 



    ------------------------------
    Scott Intner
    Chief Compliance Officer
    GW Medical Faculty Associates
    Washington,DC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 13.  RE: Annual HIPAA Audit

    Posted 06-02-2020 09:20 AM
    On a related matter, the DOJ just released an update to the criteria for determining the effectiveness an organization's compliance program. Granted this is not a HIPAA specific document but when push comes to shove it is the DOJ who will be prosecuting. 
     the new guidance is available at 

    The reason I posted in the this thread is the following paragraph:
    "Risk Assessment
    The starting point for a prosecutor's evaluation of whether a company has a well designed compliance program is to understand the company's business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks. In short, prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company's compliance program has evolved over time."

    This one is only 20 pages it might be a good idea to down load it for future reference. 
    -Alex-
    Alexander I Slosman, MHA, CHC, CHPC



    19th Annual CEI Virtual Conference


  • 14.  RE: Annual HIPAA Audit

    Posted 06-03-2020 10:41 AM
    ​Alex - thanks for sharing the link.

    ------------------------------
    Scot Houska
    Chief Compliance Officer / Privacy Officer
    Community Hospital
    Grand Junction,CO
    ------------------------------

    19th Annual CEI Virtual Conference


  • 15.  RE: Annual HIPAA Audit

    Posted 06-02-2020 09:19 AM
    To be sure...this annual risk assessment you folks are doing is also not required by the HIPAA regulatons, correct?

    I'm guessing this is an activity that your organization has adopted on its own based on its own reasons for doing so.  Just want to make sure to highlight this so folks do not somehow make the inference that the type of audit or assessment you are doing is required by the regulations.

    Certainly, like audits, assessments are very important depending on their nature, what they are designed to assess, and how well they are designed to assess whatever it is they are focused upon.  So by no means do I want people to think that just because an audit, assessment, gap analysis, or some other activity may not be required by the regulations, that I am not supportive of these activities.  These activities may help an organization in its HIPAA compliance program effectiveness.

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 16.  RE: Annual HIPAA Audit

    Posted 06-03-2020 08:50 AM
    Morning Everyone

    I do HIPAA audits as part of the compliance program.  I don't believe its stated in the regulations that it is required.  I just do them as part of my compliance auditing and monitoring.

    I make sure all authorizations are in place, filled out correctly and that the NOPP attestation is signed and contained within the record.  Takes very little time to complete as long as I'm in the records anyways.

    And its not all records, but a percentage of them.  A best practice so to speak.

    ams

    ------------------------------
    Anne Marie Storey
    Director of QI
    Catholic Charities of Oneida/Madison County
    Utica,NY
    ------------------------------

    19th Annual CEI Virtual Conference


  • 17.  RE: Annual HIPAA Audit

    Posted 06-03-2020 09:38 AM
    Hi Erica,

    disclosure - I am not an attorney or claim to be a HIPAA compliance expert and I am a vendor. (and i am not trying to solicit) But my perspective may be helpful.  We help organizations with their risk analysis (or audit, or assessment, whatever you want to call it). There is so much confusion around HIPAA and information security in general that it is detrimental to the end goal... to protect ephi and the organization as a whole from threats related to information and information systems.

    Security rule states:
    Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

    Under the letter of the law, it doesn't say anything about annual. The intent of the law (the hipaa security rule) is that you have defined and formal security program in place. If your organization doesnt know the fundamentals of a formal information security program, i would seek professional help. If your organization does know the basics, then you know that you should get a third party assessment done.  The frequency would be defined and documented with your security program. Information security has come a long way since the security rule standards were put in place in 2003.  That is way so much of hipaa was written with latitude.  They knew the techniques and processes would change over time but the end goal is the same. Confusion is the enemy of information security and just see a lot of confusion in this thread, so i thought i would offer my advice.  thanks all.

    ------------------------------
    Mark Schlader
    Principal Partner
    DueNorth Secure Healthcare
    Mark.schlader@duenorthsecurity.com
    www.duenorthsecurity.com
    (701) 941-2044
    ------------------------------

    19th Annual CEI Virtual Conference