What Will Be in My HIPAA Compliance Report? The 4 Main Components to a HIPAA Compliance Report

by Sarah Harvey / August 9th, 2017

You’ve partnered with a third party, you’ve properly scoped your environment, you’ve conducted a HIPAA Risk Analysis, you’ve remedied any non-compliant findings, you’ve worked with your auditor, you’ve completed your HIPAA audit, and now you’re finally receiving your HIPAA compliance report. Congratulations! So, what’s actually included in a HIPAA compliance report? Here are the 4 main components of a HIPAA compliance report:

 

 

The 4 Main Components to a HIPAA Compliance Report:

  1. Scope of Engagement

This section will report on the auditor’s review of controls over access to electronically protected health information (ePHI), which ensure that access to ePHI meets HIPAA requirements. The Scope of Engagement also includes the auditor’s determination of the level of compliance with the HIPAA Security Rule’s Administrative, Physical, and Technical Safeguards.  These safeguards are an important part of preventing and mitigating a breach. This section also includes a report of the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s risk analysis and training requirements.

  1. Executive Summary

The second component of a HIPAA compliance report provides the purpose of the engagement and a description of the independent review of the information security control structure. The Executive Summary also includes a statement on the information security control structure’s compliance with the HIPAA Security Rule.

  1. Assessment Method

The Assessment Method describes the three main phases of the assessment: Planning, Control Identification, and Control Testing. The first phase consists of the assessor firm and client working to define the scope of the environment, identify areas of concern, and produce a work plan. During the second phase, the assessor interviews staff and examines relevant documentation. This phase results in the identification of key controls and testing methods to be used during the assessment. The third phase, Control Testing, occurs when the assessor conducts a review based on the key controls. The controls are then matched with the requirements of the HIPAA Security Rule and tested. The assessor must determine that the controls not only met the intent and rigor of the control objective, but were also implemented and operating.

  1. Assessment of Security Safeguards

This section outlines a few items: standards/implementation specifications and compliance descriptions. This means that it gives a brief summary of each standard, how each standard is implemented, and a description of how the standard is compliant.

Your organization can use your HIPAA compliance report to provide stakeholders or outside parties with an independent third-party verification that all access controls to ePHI stored on your systems are in compliance with HIPAA requirements.

A HIPAA Report contains four main components. The first component is Scope of Engagement. The Scope of Engagement reports on the auditor’s review of controls over access to electronically protected health information. It also reports on the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s administrative, physical, or technical safeguards. Lastly, it reports on the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s risk assessment and training requirements. Next, we have Executive Summary. The Executive Summary provides a description of an independent review of the information security control structure and its compliance with the HIPAA Security Rule. Next, we have Assessment Method. The Assessment Method provides a description on the three phases of the assessment: planning, control identification, and control testing. Lastly, we have Assessment of Security Safeguards. This section provides a description on standards, implementation specifications, compliance descriptions.