What Will Be in My HIPAA Compliance Report? The 4 Main Components to a HIPAA Compliance Report

You’ve partnered with a third party, you’ve properly scoped your environment, you’ve conducted a HIPAA Risk Analysis, you’ve remedied any non-compliant findings, you’ve worked with your auditor, you’ve completed your HIPAA audit, and now you’re finally receiving your HIPAA compliance report. Congratulations! So, what’s actually included in a HIPAA compliance report? Here are the 4 main components of a HIPAA compliance report:

The 4 Main Components to a HIPAA Compliance Report:

  1. Scope of Engagement

This section will report on the auditor’s review of controls over access to electronically protected health information (ePHI), which ensure that access to ePHI meets HIPAA requirements. The Scope of Engagement also includes the auditor’s determination of the level of compliance with the HIPAA Security Rule’s Administrative, Physical, and Technical Safeguards.  These safeguards are an important part of preventing and mitigating a breach. This section also includes a report of the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s risk analysis and training requirements.

  1. Executive Summary

The second component of a HIPAA compliance report provides the purpose of the engagement and a description of the independent review of the information security control structure. The Executive Summary also includes a statement on the information security control structure’s compliance with the HIPAA Security Rule.

  1. Assessment Method

The Assessment Method describes the three main phases of the assessment: Planning, Control Identification, and Control Testing. The first phase consists of the assessor firm and client working to define the scope of the environment, identify areas of concern, and produce a work plan. During the second phase, the assessor interviews staff and examines relevant documentation. This phase results in the identification of key controls and testing methods to be used during the assessment. The third phase, Control Testing, occurs when the assessor conducts a review based on the key controls. The controls are then matched with the requirements of the HIPAA Security Rule and tested. The assessor must determine that the controls not only met the intent and rigor of the control objective, but were also implemented and operating.

  1. Assessment of Security Safeguards

This section outlines a few items: standards/implementation specifications and compliance descriptions. This means that it gives a brief summary of each standard, how each standard is implemented, and a description of how the standard is compliant.

Your organization can use your HIPAA compliance report to provide stakeholders or outside parties with an independent third-party verification that all access controls to ePHI stored on your systems are in compliance with HIPAA requirements.

Video Transcription

A HIPAA Report contains four main components. The first component is Scope of Engagement. The Scope of Engagement reports on the auditor’s review of controls over access to electronically protected health information. It also reports on the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s administrative, physical, or technical safeguards. Lastly, it reports on the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s risk assessment and training requirements. Next, we have Executive Summary. The Executive Summary provides a description of an independent review of the information security control structure and its compliance with the HIPAA Security Rule. Next, we have Assessment Method. The Assessment Method provides a description on the three phases of the assessment: planning, control identification, and control testing. Lastly, we have Assessment of Security Safeguards. This section provides a description on standards, implementation specifications, compliance descriptions.

What are HIPAA Physical Safeguards?

The HIPAA Security Rule requires that business associates and covered entities have physical safeguards and controls in place to protect electronic Protected Health Information (ePHI). These safeguards provide a set of rules and guidelines that focus solely on the physical access to ePHI.

Stephanie Rodrigue discusses the HIPAA Physical Safeguards

What are Physical Safeguards?

According to the Security Rule, physical safeguards are, “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Each organization’s physical safeguards may be different, and should be derived based on the results of the HIPAA risk analysis.

There are four standards included in the physical safeguards. These include:

  1. Facility Access Controls – These policies and procedures should limit physical access to all ePHI to that which is only necessary and authorized. Some common controls include things like locked doors, signs labeling restricted areas, surveillance cameras, onsite security guards, and alarms. Personnel controls could include ID badges and visitor badges.
  2. Workstation Use – Workstation use covers appropriate use of workstations, such as desktops or laptops. These policies and procedures should specify the proper functions that should be performed on workstations, how they should be performed, and physical workstation security.
  3. Workstation Security – Workstation security is necessary to restrict access to unauthorized users.
  4. Device and Media Controls – Device and media controls are policies and procedures that govern how hardware and electronic media that contains ePHI enters or exits the facility. These controls must include disposal, media reuse, accountability, and data backup and storage.

In order for organizations to satisfy this requirement, they must demonstrate that they have the appropriate physical safeguards in place and that they are operating effectively. For more help with determining whether your organization has the proper controls in place, contact us today.

Video Transcription

The Security Rule requires that you have physical controls in place to protect PHI. This is going to look different for every organization, so it’s important that you go back to your risk analysis to understand which physical controls are appropriate for your organization.

When we talk about physical controls, some of it’s really simple, like having a lock on your server room door or having security cameras or a security guard onsite. We’re talking about prevention of the physical removal of PHI from your facility. In order to be compliant in this area, you’re going to have to be able to provide evidence that your controls are in place and operating effectively.

What are HIPAA Administrative Safeguards?

One of the HIPAA Security Rule requirements is that covered entities and business associates have administrative controls in place. Once you have completed your HIPAA risk analysis, you should have a good idea of what administrative controls are appropriate for your organization to protect ePHI. Having administrative safeguards in place is important for both the prevention and mitigation of a data breach.

Stephanie Rodrigue discusses HIPAA Administrative Safeguards

What are Administrative Safeguards?

According to the Office for Civil Rights, the Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI) and to manage the conduct of the covered entity’s workforce in the relation to the protection of that information.”

Examples of administrative controls can be things like employee training, security awareness, written policies and procedures, incident response plans, business associate agreements, and background checks.

In order to satisfy this requirement, your organization must demonstrate and provide evidence that you have the appropriate administrative controls in place and that they are operating effectively. This means that your risk analysis results have been analyzed, and the appropriate administrative controls and security measures have been put in place to effectively address these risks. For more help on determining whether you have the appropriate administrative controls in place, contact us today.

The HIPAA Risk Analysis

The HIPAA risk analysis is the starting point for any HIPAA audit, and the most important component for achieving and maintaining HIPAA compliance. If risk analysis is such a critical part of HIPAA compliance, why is it the number one finding by the Office for Civil Rights (OCR)? Unfortunately, this means that a lot of business associates and covered entities, who are required to comply with HIPAA laws, just aren’t completing a HIPAA risk analysis.

 

Stephanie Rodrigue discusses the HIPAA Risk Analysis

Why is HIPAA Risk Analysis Important?

Aside from being the most common issue found during the Phase 1 HIPAA audits, the HIPAA risk analysis is necessary in order to meet requirements under 45 CFR 164.308(a)(1)(ii)(A). Performing a HIPAA risk analysis is uniquely designed to help you identify your specific risks to ePHI by laying out a roadmap that allows you to prioritize risks and properly protect ePHI.

How do you Perform a HIPAA Risk Analysis?

Performing a HIPAA risk analysis begins with documenting the flow of electronic Protected Health Information (ePHI) within your organization and understanding where all of your sensitive data lies. By taking a systematic, risk-based approach, you can begin to ask yourself a series of questions. What ePHI do you encounter? Where is it stored? How is it transmitted? How is it processed? Once you have documented these answers, you can prioritize your risks by the likelihood and impact these risks have on your organization.

Utilizing a third party, like KirkpatrickPrice, to conduct your HIPAA risk analysis can be helpful when you only have limited resources and understanding of the risk analysis process. Contact us today with any questions regarding getting started with your HIPAA risk analysis.

Who must be HIPAA Compliant?

Who must be HIPAA Compliant, and how can they prepare?

If you are just beginning to learn about HIPAA, you may be wondering, “Who must be HIPAA Compliant?” Up until 2009, the answer was simple: Covered Entities. But when the Health Information Technology for Economic and Clinical Health (HITECH) Act passed, it expanded the oversight of the Office for Civil Rights (OCR) to Business Associates. The HITECH Act was passed in 2009 to promote the adoption and meaningful use of health information technology (HIT).

Stephanie Rodrigue Discusses Who must be HIPAA Compliant?

The OCR’s proactive supervision will hold all covered entities and business associates responsible for their own compliance with the laws. According to the Omnibus Rule, business associates are being held directly responsible for their compliance with any relevant HIPAA laws. This means that business associate compliance will be a focus of the coming Phase 2 HIPAA enforcement actions.

Covered Entities are healthcare providers such as doctors’ offices, hospitals, health plans, or healthcare clearing houses. If your business is a covered entity preparing for Phase 2 of the OCR’s HIPAA Audit Program, we recommend that you prepare through Risk Analysis, Risk Management, Breach Reporting, and Privacy Notice and Access. Phase 2 audits of covered entities will focus on:

  • Device and Media Controls
  • Transmission Security
  • Risk Analysis and Risk Management
  • Safeguards and Training on Policies and Procedures
  • Notice of Privacy Practices and Access Rights
  • Breach Notification Content and Timeliness


Business Associates
HIPAA Fines for Business Associatesare the vendors who provide services on behalf of Covered Entities. Right now, the OCR is conducting audits of business associates and assigning fines for lack of HIPAA compliance. For business associates, these audits will focus on Risk Analysis, Risk Management, and Breach Reporting to Covered Entities. If you are a business associate, we recommend that you prepare through:

  • Conducting Security Rule Risk Analysis and Risk Management
  • Reviewing Policies and Procedures related to ePHI vulnerability, accessibility, and integrity
  • Identifying all systems that include ePHI
  • Evaluating security measures to reduce risk
  • Breach Reporting (impermissible acquisition, use, access, or disclosure of ePHI)
  • Evaluating Policies and Procedures

KirkpatrickPrice can service both covered entities and business associates through:

  • Experienced Risk Analysis Practices
  • Policy and Procedure Review
  • Approach Modeled on HIPAA Audit Protocol
  • Expert Information Security Personnel
  • Web-based Portal Experience

If you’re unsure which parts of HIPAA laws apply to your business, contact us for help.

Who Must Be HIPAA Compliant? Video Transcription

Who must be HIPAA Compliant? This is a question we get asked from time to time. Up until 2009, the answer was Covered Entities, which are healthcare providers like doctors’ offices and hospitals. But when the HITECH Act passed, it expanded the oversight of the OCR to the Business Associates, which are the vendors who provide services to the Covered Entities.
Right now, the OCR is conducting audits of Business Associates and assessing fines for lack of HIPAA Compliance. If you’re unsure which parts of HIPAA laws apply to your business, contact us for help.