Contracting with an external professional to perform an onsite HIPAA audit might be a good option for you.
Ever wondered how HIPAA compliant your organization actually is? Are you struggling with the implementation of certain HIPAA requirements? Are you concerned your organization might not pass an OCR HIPAA audit?
Contracting with an external professional to perform an onsite HIPAA audit might be a good option for you. If you are a business associate, a 3rd party onsite compliance assessment is vital in showing your partners you take HIPAA compliance and the security of their patient information seriously. This is a great differentiator because not all business associates do this.
A HIPAA audit is a thorough examination of an entity’s HIPAA compliance practices to discover any problems, loose ends, or security vulnerabilities.
HIPAA audits are a great way to help get your HIPAA compliance in order. However, they aren’t right for every organization.
Here are the pros and cons of contracting with a third party for a HIPAA audit.
Because your auditor is analyzing your HIPAA requirements for you, you don’t have to spend as much time organizing certain components of HIPAA compliance. Learn how to speed up your HIPAA audit.
External HIPAA auditors are experts. They know healthcare’s list of common mistakes and are experts at finding what you still need to do to become HIPAA compliant. Guaranteed, they will catch something your internal HIPAA compliance team missed.
A third party HIPAA auditor will be objective, focused, and agnostic. Conducting an internal audit with your own workforce staff is a great first step, but the results may not be accurate. There is always the chance that a staff member may accidentally or purposely overlook something. The great thing about a third party auditor is, they give you all the information you need, then leave you to decide what to do with the information presented.
See also: SecurityMetrics HIPAA Guide
An external auditor should provide a HIPAA compliance report that documents the security efforts and compliance status of your organization. This documentation should give you and executive management an overall picture of your HIPAA compliance. You will likely want to share your compliant report with your partners, business associates, and customers.
Onsite auditors provide the information you need to fix security and privacy vulnerabilities that could potentially lead to a data breach. Like I said above, these guys are security experts. They know the common holes hackers look for when compromising an organization. After you implement your auditor’s suggestions, your security will skyrocket.
Depending on which company you hire, your onsite auditor may help you create a risk analysis and risk management plan based on what they found during the compliance assessment. This entire audit process will help you prepare for an OCR audit and feel more secure about your organization’s HIPAA compliance posture.
Learn more about SecurityMetrics’ HIPAA auditing process
Your systems and processes change over time, so the results from a HIPAA audit will not remain accurate for long. If you do decide to hire a company to conduct an onsite HIPAA audit, it’s important to take their recommendations into consideration immediately during and after their visit. Because environment change is unavoidable, prepare to invest in annual audits.
While the HHS does not certify a single auditing authority, not all auditing companies are created equal. Don’t settle with an accountant or internal financial auditor, who has lots of experience with auditing, but virtually no experience in data security implementation. Ultimately, you must find a company you trust.
The auditor you hire is familiar with the generalities of the healthcare industry, but every organization is set up differently. Be prepared to spend time walking him through your office, data center, or server room, and give a detailed explanation of how patient data travels within your organization. A PHI map will help make the process go faster.
A HIPAA audit can cost from $5,000 to well over $100,000, depending on your size, infrastructure, and proximity from the auditor’s location. As you consider your data security budget, you should also consider the cost of a data breach to your organization. After all, a lack of patient data security can affect your bottom line. If you undergo a data breach, 40% of your patients will find a new provider. If you are found not to be compliant, the HHS can fine you up to $50,000 per violation, per day. If your patient data is compromised, your patients can file a civil lawsuit against you for not following HIPAA compliance. On top of all this, state and local governments are fining HIPAA violators as well.
See Also: Five Things to Consider When Making a HIPAA Security Budget
There’s no point in getting an audit if you don’t plan on making changes after the fact. If your auditor finds problems or vulnerabilities (which he/she will) and you don’t fix them, you just wasted a lot of resources. If the OCR ever audits you and discovers you chose not to fix vulnerabilities, they will probably fine you for willful negligence.
So, now that we know the pros and cons, is a HIPAA compliance audit valuable? It depends. Here are some things to consider:
Hopefully this analysis helped you decide if a HIPAA audit is right for you and your organization. If you’re interested in hiring me to conduct your onsite HIPAA audit, request a quote for a HIPAA audit here, and we’ll get in touch.
.svg)
