Top 10 Questions Most Organizations Fail During a HIPAA Audit

Forget about a full-blown HIPAA audit with over 192 questions for covered entities (CE’s), most organizations fail and are considered out of compliance within the first 10 questions.

HIPAA in the past few years has become the latest 5 letter bad word in the healthcare industry. With confusing terminology and enormous fines, non-compliance can be more than a financial setback, you could end up in prison.

So how does your organization stack up? We’ve included 10 questions from the HIPAA Security Rule for you to perform a partial self-audit and see for yourself.

10 Questions from the HIPAA Security Rule
SectionKey ActivityAudit ProceduresImplementationYour Answer
§164.308Conduct Risk AssessmentInquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.RequiredYES/NO
§164.308Implement a Risk Management ProgramInquire of management as to whether current security measures are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).RequiredYES/NO
§164.308Select a Security Official To Be Assigned Responsibility for HIPAA SecurityInquire of management as to whether the organization has assigned responsibility for the HIPAA security to a Security Official to oversee the development, implementation, monitoring, and communication of security policies and procedures.RequiredYES/NO
§164.308Develop and Implement Procedures to Respond to and Report Security IncidentsInquire of management as to whether there are formal or informal policies and/or procedures in place for identifying, responding to, reporting, and mitigating security incidents.RequiredYES/NO
§164.308Develop Contingency Planning PolicyInquire of management as to whether a formal contingency plan with defined objectives exists.RequiredYES/NO
§164.308Data Backup Plan and Disaster Recovery PlanInquire of management as to whether disaster recovery and data backup plans exist to restore any lost data.RequiredYES/NO
§164.308Encryption and DecryptionInquire of management as to whether an encryption mechanism is in place to protect ePHI.AddressableYES/NO
§164.308Implement Methods for Final Disposal of ePHIInquire of management as to how the disposal of hardware, software, and ePHI data is managed.RequiredYES/NO
§164.308Develop and Implement an Emergency Mode Operation PlanInquire of management as to whether policy and procedures exist to enable the continuation of critical business processes that protect the security of ePHI while operating in emergency mode.RequiredYES/NO
§164.308Develop Recovery StrategyInquire of management as to whether procedures exist for recovering documents from emergency or disastrous events.RequiredYES/NO

If you were able to answer yes to each one of these questions, congratulations you’re well on your way to being compliant with the latest changes in the HIPAA laws but if you answered no to just one of these questions, then your organization is considered out of compliance and could possibly face fines of up to $1.5 million and possible jail time. If you noticed, each one of the questions by the auditors is addressed to management and it’s critical that HIPAA compliance becomes a top priority within your organization.

We don’t want you to take our word for it, take a look at some of the latest enforcement actions that have been levied on those for non-compliance.


Share Your Thoughts...