A HIPAA compliance assessment is an evaluation of an organization's practices, policies, and procedures to ensure that they align with requirements from the Health Insurance Portability and Accountability Act (“HIPAA”). It identifies critical gaps and risk areas to enable companies to protect patient privacy and secure sensitive health information.
The Process
- Start: A HIPAA compliance assessment starts with a kick-off meeting where the assessors are introduced to the team and the assessment plan and logistics are discussed (document sharing, scheduling for interviews, deliverables, etc.)
- Documentation Review: A document request is issued by the assessors. This step typically involves reviewing the company’s internal policies and procedures, any data inventories or network diagrams, training, contract templates, consent forms, and other relevant records.
- Interviews: Next, the assessor interviews key personnel – these could include IT, compliance, legal, marketing, executives, and others who either handle patient information or are responsible for keeping it secure. This may include walk-throughs of key information systems and, depending on the depth of the assessment, checking specific security controls.
- Assessment Report: The assessors analyze the information collected in steps 2 and 3 and begin to identify gaps and draft findings. When needed, assessors will ask for follow-up information to clarify any remaining items. The report is then finalized and delivered for sign-off.
Key Focus Areas for HIPAA Compliance Assessment
Companies must have written policies and procedures addressing specific requirements. An assessment evaluates whether these policies and procedures are present and adequate. These include, where applicable, the company’s notice of privacy practices, patient authorizations, business associate agreement templates, policy on use and disclosure of protected health information (“PHI”), policy on individual rights requests, policy on business associate agreements, among others. Additionally, certain records must be maintained – a list of all business associates for example – and samples of these records should be checked as part of the assessment.
Covered entities must appoint a privacy official and security official, while business associates must appoint only a security official. Appropriate appointment of these roles would be confirmed in an assessment.
HIPAA restricts use and disclosure of patient information (“protected health information” or ”PHI”) by covered entities and business associates and grants certain key exceptions. The assessment will confirm that policies and procedures reflect these restrictions and exceptions.
Cybersecurity is a critical component of HIPAA compliance. A comprehensive assessment will check whether the company has implemented an adequate cybersecurity program, including that required controls (such as encryption of PHI, or a security incident response plan) are actually implemented, not only documented on paper. An adequate HIPAA compliance program must include routine security risk analysis of all electronic PHI. Unlike many privacy laws, HIPAA directly requires a number of specific security controls rather than leaving companies to determine what is “reasonable”. This means companies subject to HIPAA must take a more proactive approach to cybersecurity not only to mitigate risk of a breach, but also to maintain regulatory compliance.
