You’ve partnered with a third party, you’ve properly scoped your environment, you’ve conducted a HIPAA Risk Analysis, you’ve remedied any non-compliant findings, you’ve worked with your auditor, you’ve completed your HIPAA audit, and now you’re finally receiving your HIPAA compliance report. Congratulations! So, what’s actually included in a HIPAA compliance report? Here are the 4 main components of a HIPAA compliance report:

 

 

The 4 Main Components to a HIPAA Compliance Report:

  1. Scope of Engagement

This section will report on the auditor’s review of controls over access to electronically protected health information (ePHI), which ensure that access to ePHI meets HIPAA requirements. The Scope of Engagement also includes the auditor’s determination of the level of compliance with the HIPAA Security Rule’s Administrative, Physical, and Technical Safeguards.  These safeguards are an important part of preventing and mitigating a breach. This section also includes a report of the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s risk analysis and training requirements.

  1. Executive Summary

The second component of a HIPAA compliance report provides the purpose of the engagement and a description of the independent review of the information security control structure. The Executive Summary also includes a statement on the information security control structure’s compliance with the HIPAA Security Rule.

  1. Assessment Method

The Assessment Method describes the three main phases of the assessment: Planning, Control Identification, and Control Testing. The first phase consists of the assessor firm and client working to define the scope of the environment, identify areas of concern, and produce a work plan. During the second phase, the assessor interviews staff and examines relevant documentation. This phase results in the identification of key controls and testing methods to be used during the assessment. The third phase, Control Testing, occurs when the assessor conducts a review based on the key controls. The controls are then matched with the requirements of the HIPAA Security Rule and tested. The assessor must determine that the controls not only met the intent and rigor of the control objective, but were also implemented and operating.

  1. Assessment of Security Safeguards

This section outlines a few items: standards/implementation specifications and compliance descriptions. This means that it gives a brief summary of each standard, how each standard is implemented, and a description of how the standard is compliant.

Your organization can use your HIPAA compliance report to provide stakeholders or outside parties with an independent third-party verification that all access controls to ePHI stored on your systems are in compliance with HIPAA requirements.

A HIPAA Report contains four main components. The first component is Scope of Engagement. The Scope of Engagement reports on the auditor’s review of controls over access to electronically protected health information. It also reports on the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s administrative, physical, or technical safeguards. Lastly, it reports on the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s risk assessment and training requirements. Next, we have Executive Summary. The Executive Summary provides a description of an independent review of the information security control structure and its compliance with the HIPAA Security Rule. Next, we have Assessment Method. The Assessment Method provides a description on the three phases of the assessment: planning, control identification, and control testing. Lastly, we have Assessment of Security Safeguards. This section provides a description on standards, implementation specifications, compliance descriptions.

The HIPAA Security Rule requires that business associates and covered entities have physical safeguards and controls in place to protect electronic Protected Health Information (ePHI). These safeguards provide a set of rules and guidelines that focus solely on the physical access to ePHI.

Stephanie Rodrigue discusses the HIPAA Physical Safeguards

What are Physical Safeguards?

According to the Security Rule, physical safeguards are, “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Each organization’s physical safeguards may be different, and should be derived based on the results of the HIPAA risk analysis.

There are four standards included in the physical safeguards. These include:

Facility Access Controls

These policies and procedures should limit physical access to all ePHI to that which is only necessary and authorized. Some common controls include things like locked doors, signs labeling restricted areas, surveillance cameras, onsite security guards, and alarms. Personnel controls could include ID badges and visitor badges.

Workstation Use

Workstation use covers appropriate use of workstations, such as desktops or laptops. These policies and procedures should specify the proper functions that should be performed on workstations, how they should be performed, and physical workstation security.

Workstation Security

Workstation security is necessary to restrict access to unauthorized users.

Device and Media Controls

Device and media controls are policies and procedures that govern how hardware and electronic media that contains ePHI enters or exits the facility. These controls must include disposal, media reuse, accountability, and data backup and storage.

How to Satisfy the HIPAA Physical Safeguard Requirements?

In order for organizations to satisfy this requirement, they must demonstrate that they have the appropriate physical safeguards in place and that they are operating effectively. For more help with determining whether your organization has the proper controls in place, contact us today.

The Security Rule requires that you have physical controls in place to protect PHI. This is going to look different for every organization, so it’s important that you go back to your risk analysis to understand which physical controls are appropriate for your organization.

When we talk about physical controls, some of it’s really simple, like having a lock on your server room door or having security cameras or a security guard onsite. We’re talking about prevention of the physical removal of PHI from your facility. In order to be compliant in this area, you’re going to have to be able to provide evidence that your controls are in place and operating effectively.

One of the HIPAA Security Rule requirements is that covered entities and business associates have administrative controls in place. Once you have completed your HIPAA risk analysis, you should have a good idea of what administrative controls are appropriate for your organization to protect ePHI. Having administrative safeguards in place is important for both the prevention and mitigation of a data breach.

Stephanie Rodrigue discusses HIPAA Administrative Safeguards

What are Administrative Safeguards?

According to the Office for Civil Rights, the Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI) and to manage the conduct of the covered entity’s workforce in the relation to the protection of that information.”

Examples of administrative controls can be things like employee training, security awareness, written policies and procedures, incident response plans, business associate agreements, and background checks.

In order to satisfy this requirement, your organization must demonstrate and provide evidence that you have the appropriate administrative controls in place and that they are operating effectively. This means that your risk analysis results have been analyzed, and the appropriate administrative controls and security measures have been put in place to effectively address these risks. For more help on determining whether you have the appropriate administrative controls in place, contact us today.

The HIPAA risk analysis is the starting point for any HIPAA audit, and the most important component for achieving and maintaining HIPAA compliance. If risk analysis is such a critical part of HIPAA compliance, why is it the number one finding by the Office for Civil Rights (OCR)? Unfortunately, this means that a lot of business associates and covered entities, who are required to comply with HIPAA laws, just aren’t completing a HIPAA risk analysis.

 

Stephanie Rodrigue discusses the HIPAA Risk Analysis

Why is HIPAA Risk Analysis Important?

Aside from being the most common issue found during the Phase 1 HIPAA audits, the HIPAA risk analysis is necessary in order to meet requirements under 45 CFR 164.308(a)(1)(ii)(A). Performing a HIPAA risk analysis is uniquely designed to help you identify your specific risks to ePHI by laying out a roadmap that allows you to prioritize risks and properly protect ePHI.

How do you Perform a HIPAA Risk Analysis?

Performing a HIPAA risk analysis begins with documenting the flow of electronic Protected Health Information (ePHI) within your organization and understanding where all of your sensitive data lies. By taking a systematic, risk-based approach, you can begin to ask yourself a series of questions. What ePHI do you encounter? Where is it stored? How is it transmitted? How is it processed? Once you have documented these answers, you can prioritize your risks by the likelihood and impact these risks have on your organization.

Utilizing a third party, like KirkpatrickPrice, to conduct your HIPAA risk analysis can be helpful when you only have limited resources and understanding of the risk analysis process. Contact us today with any questions regarding getting started with your HIPAA risk analysis.

What To Do With Your Completed Risk Analysis

Completing a comprehensive HIPAA risk analysis is a big achievement and puts you in rare company…but you’re not done yet. Once you’ve completed your HIPAA risk analysis, your organization should be asking: What are we doing to do with this risk? Has management reviewed this and agreed? How can we use this information to improve? A mature risk management program doesn’t ask, “Do we have to do this again?” Instead, your risk management program should incorporate an ongoing, integrated risk analysis process. In this webinar, Mark Hinely will discuss five steps to take in using your your risk analysis: internal reporting, management responsibilities, corrective actions, monitoring, and auditing.

Internal Reporting

Once you have completed the identification of your threats and vulnerabilities, the potential impact, the likelihood of occurrence, the controls in place, and your recommendations – all of the foundations of a comprehensive risk analysis – you may wonder what to do with that information. Internal reporting is the next step to take. Your report should include a high-level summary of the risk analysis process, the top findings, your recommendations, and any appendices. The audience for this report should be senior-level management, operational units, or external auditors.

  1. High-Level Summary: The summary in your report should communicate to internal and external stakeholders what you did, and how you did it, in a way that could be independently verified. You want to frame what can be a very complex and confusing collection of information in way that’s understandable.
  2. Top Findings: Your top findings and/or a heat map provide a visual representation of risk. Instead of giving all of the threat-level details that the risk analysis will include, a heat map will scale that information back to only portray the likelihood of occurrence and potential impact of a particular risk. A heat map is also beneficial because sometimes risk is only fully understood in comparison to other risks, threats, or vulnerabilities.
  3. Recommendations: These recommendations should be enterprise/project-level recommendations, not threat/vulnerability-level.
  4. Appendices: Include any type of supplemental, explanatory information that would be useful to internal or external stakeholders’ understanding of your risk analysis.

These four items will be separate from your actual HIPAA risk analysis. In addition to your internal report, you want to include your risk analysis. Sometimes individuals will also include an asset list, threat list, or policy list.

Management Responsibilities

After you’ve completed your risk analysis and documented the results in a report, now you have a chance to provide the results to management. The guiding standard for responding to risk is “reasonable risk,” specifically § 164.308(a)(1)(ii)(B) – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

When management reviews and evaluates risk, they can respond in one of four ways:

  1. Accept: If cost-benefit analysis determines the cost to mitigate risk is unreasonable, then the best and compliant response is to accept and continually monitor the risk. But, there are two kinds of acceptance – passive and active. Passive acceptance takes no action to resolve or manage the risk. Active acceptance takes action to manage the impact.
  2. Transfer: The best response to activities with a low probability of occurring, but with a large financial impact, is to transfer a portion, or all, of the risk to a third party.
  3. Mitigate: The best response to activities with a high likelihood of occurring, but with a small financial impact, is to use management control systems to reduce the risk of potential loss.
  4. Avoid: The best response to activities with a high likelihood of loss and large financial impact. Instead of doing the activity but putting controls in place to reduce the risk, this option says “We just won’t do that anymore.”

You want to document management’s review of the risk analysis. We recommend using standards like, “Our organization’s internal standard to accept risk that have an overall risk value of medium or low.” You also want to document management’s approval of the internal risk analysis report. This approval means they’ve thoroughly reviewed the report and deem it a fair representation of the risk environment. An appendix at the end of the management documentation should have names, titles, dates, and a statement that says that management has reviewed the information and agrees with it.

Corrective Action

A risk analysis is a great tool for creating a HIPAA compliance roadmap. It tells you where you have the most exposure, what steps you can take to reduce the areas of greatest exposure, and it can assist in helping you with budget requirements. From a best practices perspective, you want to get to a point where you can categorize your control recommendations from a cost perspective, benefit perspective, and implementation perspective. The corrective actions take the things that need to be done to reduce risk to an appropriate and reasonable level, and do it.

Monitoring

Once you’ve completed the corrective action stage, you can begin to create a risk-based management control system, rather than a resource-based management control system. If it’s feasible, areas of greater risk receive increased monitoring – increased in frequency and intensity. You can monitor activity through diagnostic controls, boundary controls, or belief systems.

  1. Diagnostic Controls: This type of control reports whether activities are happening when they’re supposed to happen and in the way that it was designed to occur. For example, audit logs or penetration tests.
  2. Boundary Controls: This is a type of control that constrains activity. It doesn’t just tell you whether or not the activity is occurring, it actually impacts activities. For example, access control process, encryptions, or sanctions.
  3. Belief Systems: These controls tend to create a culture of compliance. For example, your security awareness training. Employees frequently resist security training, but when you look at enforcement activity, you see activities that should’ve been prohibited in security awareness training, but instead led to breaches.

An effective risk management program will incorporate a healthy balance of diagnostic, boundary, and belief system controls.

Auditing

A HIPAA risk analysis not only provides direction for monitoring activities, but also for auditing activity. So, what’s the difference between monitoring and auditing? Monitoring is a review of information provided by an operational unit. Auditing is an independent assessment of activities performed by someone outside of the business unit. Internal auditing benefits from a comprehensive risk analysis because your risk analysis should inform your auditing program where the greatest risk is. Audits should test risk analysis controls for both existence and effectiveness. Auditing also lays the groundwork for future risk analyses.

Listen to the full webinar to learn detailed steps of internal reporting, management responsibilities, corrective actions, monitoring, and auditing. Contact us today to learn more about HIPAA compliance.