Section 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, requires HHS to conduct periodic audits of providers and business associates to ensure their compliance with the HIPAA Security and Privacy Rule, and breach notification standards. To implement this mandate,the Office of Civil Rights (OCR) is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase will begin November 2011 and conclude by December 2012. Checklist 2.0 in collaboration with EHR 2.0 will focus on the implementation and tracking of HIPAA security best practices in a healthcare organization in order to prepare for a federal audit. Every audit begins with interviews, a questionnaire, and a thorough documentation review. Our effort, with decades of knowledge in the auditing field, will help our customers through the audit process, documentation requirements, and implementation specifications of the HIPAA security rule. The federal audit mandate provides an opportunity for healthcare organizations to review and improve the security posture of their organizations not only from a compliance perspective, but also hardening the environment by adapting to changing technology (mobile, Health Information Exchange, Cloud) and threat landscape perspective. Our toolkit will uncover reasons why many health information breaches are occurring and help covered entities to better secure and comply with electronic protected health information for the upcoming federal audit. The toolkit will also share the best practices used for HIPAA security implementation and continuous assessment which is considered as “due diligence” by auditors for the HIPAA security compliance program.
The toolkit covers:
- ePHI risk analysis and risk management methodologies
- Prioritizing and fixing identified risks
- Best practices framework and references
- Documentation and tracking of issues
- User training and assessment
- Re-assessment and continuous monitoring