HIPAA Audit Checklist

by

A HIPAA audit checklist is a list of the HIPAA regulations and standards that apply to a covered entity’s operations which can be used to assess the covered entity’s compliance with HIPAA. Because not all regulations and standards affect covered entities’ operations in the same way, there is no one-size-fits-all HIPAA audit checklist.

One of the challenges of HIPAA compliance is that covered entities are not required to comply with all HIPAA regulations and standards – only those that apply to their operations. This not only means health plans, health care clearinghouses, and qualifying healthcare providers have to conduct different HIPAA compliance audits, but the content of a HIPAA compliance audit within each type of covered entity can vary according to the nature of their operations.

A good example of this concerns Notices of Privacy Practices. Health plans are required to send new members a Notice when new members enroll in a plan and every three years thereafter. Health care clearinghouses are not required to provide Notices of Privacy Practices, while  healthcare providers that have a direct treatment relationship with a patient have to provide a Notice “no later than the date of the first service delivery”, except in emergency situations.

Retails pharmacies that qualify as covered entities do not have to provide each customer with a Notice of Privacy Practices, but must display a Notice in a prominent position, while hybrid entities have to provide a Notice to some individuals, but not others. In addition, different regulations regarding the content of a Notice apply if a covered entity is part of an Organized Health Care Arrangement (OHCA) or a Health Management Organization (HMO).

What is the Purpose of a HIPAA Audit Checklist?

A HIPAA audit checklist has two purposes. The first is to determine which HIPAA regulations and standards apply to a covered entity’s operations so there is a single place of reference for HIPAA compliance. Note: the checklist may need to be adjusted to comply with other federal regulations (i.e., CMS’ conditions for participation in Medicare), state laws, (i.e., Texas Medical Records Privacy Act), or local codes (i.e., when city fire codes impact physical safeguards).

The second purpose is to compare the list of HIPAA regulations and standards against the organization’s existing compliance efforts, policies, and procedures so gaps in compliance can be identified and rectified. Depending on the size of the organization, this may be too large or too complicated a task for an individual. Parts of the comparison may have to be delegated to IT, legal, HR, nursing, and/or administration teams – under the supervision of the Privacy Officer.

In some cases, it may also be beneficial to divide the compilation of HIPAA audit checklist between teams or departments. For example, it may be possible for HR and nursing teams to compile and compare a joint HIPAA Privacy Rule compliance checklist, for IT and administration teams to work on a joint HIPAA Security Rule compliance checklist, and for legal and compliance teams to audit compliance with the General and Breach Notification Rules.

Using a HIPAA Compliance Audit Checklist

Using a HIPAA compliance audit checklist does not just consist of (for example) ensuring billing teams are informed of the correct transaction codes to use, that valid authorization forms exist, and that the organization runs a security awareness training program. It is important that the correct transaction codes are used, that personnel know when valid authorization forms are required, and that all members of the workforce attend security awareness training.

This is because it is not sufficient for covered entities to “tick the box” of HIPAA compliance by compiling a HIPAA audit checklist. The checklist has to be used to identify gaps in compliance whether they are due to safeguards not being implemented, policies being out of date, or procedures not being complied with. It is also necessary to confirm that a sanctions policy is being used to address violations of HIPAA attributable to wrongdoing or a lack of knowledge.

In addition, compiling and using a HIPAA compliance audit checklist is not a one-off event. §164.316 of the Security Rule requires covered entities to “review documentation periodically, and update as needed, in response to environmental or operational changes”. Considering the volume of HIPAA changes in the pipeline for 2024, reviewing a HIPAA compliance audit checklist may become a more common occurrence over the next twelve months.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]