Is a HIPAA audit right for your organization?

Tod Ferran, CISSP, QSA
By: Tod Ferran
Ever wondered how HIPAA compliant your organization actually is? Are you struggling with the implementation of certain HIPAA requirements? Are you concerned your organization might not pass an OCR HIPAA audit?

Contracting with an external professional to perform an onsite HIPAA audit might be a good option for you. If you are a business associate, a 3rd party onsite compliance assessment is vital in showing your partners you take HIPAA compliance and the security of their patient information seriously. This is a great differentiator because not all business associates do this.
HIPAA audits, HIPAA audit protocol

A HIPAA audit is a thorough examination of an entity’s HIPAA compliance practices to discover any problems, loose ends, or security vulnerabilities.

HIPAA audits are a great way to help get your HIPAA compliance in order. However, they aren’t right for every organization.
Here are the pros and cons of contracting with a third party for a HIPAA audit.

Pros of an onsite HIPAA audit

You don’t have to spend as much time on HIPAA
Because your auditor is analyzing your HIPAA requirements for you, you don’t have to spend as much time organizing certain components of HIPAA compliance. Learn how to speed up your HIPAA audit.

You can trust your auditors to find holes
External HIPAA auditors are experts. They know healthcare’s list of common mistakes and are experts at finding what you still need to do to become HIPAA compliant. Guaranteed, they will catch something your internal HIPAA compliance team missed.

Your auditor is objective
A third party HIPAA auditor will be objective, focused, and agnostic. Conducting an internal audit with your own workforce staff is a great first step, but the results may not be accurate. There is always the chance that a staff member may accidentally or purposely overlook something. The great thing about a third party auditor is, they give you all the information you need, then leave you to decide what to do with the information presented.

You’ll get reports
An external auditor should provide a HIPAA compliance report that documents the security efforts and compliance status of your organization. This documentation should give you and executive management an overall picture of your HIPAA compliance. You will likely want to share your compliant report with your partners, business associates, and customers,

Your patient data security will increase
Pros and Cons of Onsite HIPAA Audits, HIPAA compliance checklistOnsite auditors provide the information you need to fix security and privacy vulnerabilities that could potentially lead to a data breach. Like I said above, these guys are security experts. They know the common holes hackers look for when compromising an organization. After you implement your auditor’s suggestions, your security will skyrocket.

You’ll feel more prepared for the future
Depending on which company you hire, your onsite auditor may help you create a risk analysis and risk management plan based on what they found during the compliance assessment. This entire audit process will help you prepare for an OCR audit and feel more secure about your organization’s HIPAA compliance posture.

Learn more about SecurityMetrics’ HIPAA auditing process

Cons of an onsite HIPAA audit

Things change
Your systems and processes change over time, so the results from a HIPAA audit will not remain accurate for long. If you do decide to hire a company to conduct an onsite HIPAA audit, it’s important to take their recommendations into consideration immediately during and after their visit. Because environment change is unavoidable, prepare to invest in annual audits.

You have to spend time researching your auditor
While the HHS does not certify a single auditing authority, not all auditing companies are created equal. Don’t settle with an accountant or internal financial auditor, who has lots of experience with auditing, but virtually no experience in data security implementation. Ultimately, you must find a company you trust.

You have to explain your environment
The auditor you hire is familiar with the generalities of the healthcare industry, but every organization is set up differently. Be prepared to spend time walking him through your office, data center, or server room, and give a detailed explanation of how patient data travels within your organization. A PHI map will help make the process go faster.

It costs money

A HIPAA audit can cost from $5,000 to well over $100,000, depending on your size, infrastructure, and proximity from the auditor’s location. As you consider your data security budget, you should also consider the cost of a data breach to your organization. After all, a lack of patient data security can affect your bottom line. If you undergo a data breach, 40% of your patients will find a new provider. If you are found not to be compliant, the HHS can fine you up to $50,000 per violation, per day. If your patient data is compromised, your patients can file a civil lawsuit against you for not following HIPAA compliance. On top of all this, state and local governments are fining HIPAA violators as well.

See Also: Five Things to Consider When Making a HIPAA Security Budget

You actually have to follow up on recommendations
There’s no point in getting an audit if you don’t plan on making changes after the fact. If your auditor finds problems or vulnerabilities (which he/she will) and you don’t fix them, you just wasted a lot of resources. If the OCR ever audits you and discovers you chose not to fix vulnerabilities, they will probably fine you for willful negligence.


Analysis: Is a HIPAA audit worth it?

So, now that we know the pros and cons, is a HIPAA compliance audit valuable? It depends. Here are some things to consider:
  • Your size: If you are a small doctor’s office, a HIPAA audit will probably not be worth the time and money spent. If you are looking for HIPAA assistance, you are probably better off getting help through a Guided HIPAA Compliance service instead. However, if you are a BA, regardless of size, you should have an onsite HIPAA audit.
  • Your budget: HIPAA audits cost from $5,000 to $100,000+, depending on your size and infrastructure. Obviously, an audit will cost more for a multi-location hospital than a medium-sized practitioner.
  • Your experience: Are you a security expert? If so, a HIPAA audit may be overkill. However, don’t underestimate the value of a good conversation with a third party professional. You may wish to talk to a HIPAA consultant to ensure you’ve adequately met all HIPAA requirements.
Hopefully this analysis helped you decide if a HIPAA audit is right for you and your organization. If you’re interested in hiring me to conduct your onsite HIPAA audit, request a quote for a HIPAA audit here, and we’ll get in touch.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

How to Leverage HIPAA for Meaningful Use