Tips for Passing a HIPAA Audit: Best Practices for Covered Entities

Posted on September 21, 2011 by Thu Pham

Are you on the hook to undergo a HIPAA audit, but you’re not quite sure where to start? Online Tech recently passed a HIPAA audit of our Michigan data centers, giving us the ability to offer HIPAA compliant hosting solutions to healthcare organizations that need to pass HIPAA audits of their own. Avoiding hefty fines and collecting federal incentives are major motivators of the healthcare industry to adopt electronic medical record (EMR) systems, in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA Compliant Checklist

HIPAA Compliant Checklist

Our HIPAA audit means that a certified, independent auditor reviewed each paragraph of the HIPAA statute and confirmed that our processes and procedures were aligned with the standards. There are 19 HIPAA standards with controls stipulated in HIPAA version 1.2.1, and 54 HIPAA citations, including the complete set of 136 audited components.

An example of a high level HIPAA citation compliance checklist can be seen to the right – we are found to be fully compliant by each safeguard’s standards and citations.

For each Administrative, Physical and Technical safeguard, there are a number of standards that a covered entity (CE), or business associate (BA) must pass to complete an audit.

A BA provides a service for a CE, and may need to access PHI. Although Online Tech never accesses PHI under any circumstances, it is common in the IT and hosting provider industry to sign a Business Associates Agreement (BAA) that codifies their commitment to follow HIPAA rules.

What are some best practices that you, the CE, should do to help with passing your audit?

  • Document data management, security, training and notification plans.
  • Use a password policy for access.
  • Encrypt PHI, whether it is in a database or in files on a server. Although not required by HIPAA, it is strongly suggested and considered best practice to do so while stored in the database, and especially during transmission. More encryption considerations:
  • Always use SSL for web-based access of any sensitive data.
  • Encryption techniques and mechanisms of sensitive information should be known to only a select few.
  • Content such as images or scans should be encrypted and contain no personally identifying information.
  • Don’t use public FTP – use an alternative method to move files.
  • Only use VPN access for remote access.
  • Use login retry protection in your application.
  • Document a disaster recovery plan.
  • Save money and time by hosting with a company that already has a BAA in place – that way your auditor can review the document instead of conducting another audit on top of yours.

One important distinction between a business associate’s audit and a covered entity is that as a healthcare organization dealing with PHI, you still need to undergo an audit to check your company’s processes and procedures. Your IT company may provide the technology to transmit and store your patients’ PHI, but you are still held accountable by HIPAA standards.

With federally funded audits planned through the end of 2012, it’s advisable to begin the EMR and audit process now, if you haven’t already started.

Need more HIPAA compliance information? Read more about how we passed our audit, and features of a HIPAA compliant data center.

About Thu Pham

Online marketing specialist and blogger of IT, health IT, cloud computing and other data center industry topics and trends.
This entry was posted in HIPAA Compliance and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>