The HIPAA/HITECH Security Audit

The federal Health Insurance Portability and Accountability Act (HIPAA) was legislated in 1996 with the primary aim of ensuring that employees who are in the process of changing or leaving their jobs do not lose their health insurance benefits. Additionally, HIPAA sought to bring down health care fraud and abuse by mandating pan-industry standards for the protection of health care information and automated billing and other related processes, and for ensuring the security of Protected Health Information (PHI).

What is a HIPAA Security Audit?

A HIPAA Security Audit is a program under the HIPAA Privacy, Security, and Breach Notification Audit Program of the Office of Civil Rights (OCR). A HIPAA Security Audit is carried out to make sure that the policies, processes and controls on the part of Covered Entities comply with the provisions of the HITECH Act of 2009. Adherence to the requirements laid out by HITECH is mandatory.


Given the high degree of continued use of new technologies that go into and will continue to go into electronic records of patients and the criticality of the data contained in them; the US Department of Health and Human Services (HHS) recognizes that there could be chances of data breach of Protected Health Information. It is to prevent the occurrence of these breaches that a HIPAA Security Audit is mandated by the HITECH Act.

Reporting of data breaches is mandatory

The foremost highlight of the HITECH Act is the requirement that Entities covered by HIPAA report data breaches that affect 500 or more employees to the HHS. The OCR lays out an Audit Protocol, with whose policies, protocols and processes a facility has to comply if it is said to be compliant with the HIPAA Security Audit.


Why is it necessary to carry out a HIPAA/HITECH Security Audit?

Compliance with HIPAA Security Audit is necessary to demonstrate that a practice or business is well protected. The most important reason for which such entities need to be HIPAA/HITECH Security Audit compliant is - apart from ensuring protection and security of Protected Health Information ���to escape from the punitive and stringent penalties that follow noncompliance with the HIPAA/HITECH Security Audit. Enforcement regulations fix a starting penalty level at $10,000 for willful negligence.

Entities and healthcare professionals can also get sued by patients for data breaches. In order to avoid these scenarios, it is ideal for an entity to be compliant with the HIPAA/HITECH Security Audit. This means that entities, as also healthcare professionals, have to create a set of sound policies and need to have a thorough grasp of the HIPAA best practices and the risk factors that present themselves, as well as ways of avoiding them.

The OCR has mentioned that for fiscal 2016, the emphasis of HIPAA/HITECH Security Audit will be on security for medical devices and electronic health records.