Generic selectors
Exact matches only
Search in title
Search in content
Search in posts
Search in pages

HIPAA Compliant Healthcare Applications (Part 2 of 3): What You Need to Know About HIPAA Audits in Healthcare

This is the second part of our three-part series discussing the Security Rule section of HIPAA compliant healthcare application development. Here we’ll go over HIPAA auditing, what it means, why it must be done, the implications of not doing so, and how you should conduct a HIPAA audit.

What are HIPAA audits?

The OCR (Office of Civil Rights) can and will periodically conduct HIPAA audits on covered entities and business associates to ensure that they are safeguarding electronic protected health information (ePHI) as they should. HIPAA audits are conducted to gauge progress on compliance and to identify areas where improvement is needed.

Why you should care

In order to prevent fines associated with failed HIPAA audits, healthcare organizations should conduct regular risk assessments and take steps to prepare for HIPAA compliance audits.
There are several levels of penalties based on what a covered entity does or doesn’t do in accordance with HIPAA. Read the following to learn more: Is Your Healthcare Patient Portal HIPAA Compliant?

HL7, FHIR, API

HIPAA audit log requirements

The HIPAA technical safeguards rule[¹] for covered entities were created to ensure that controls are in place for monitoring activity on electronic systems that use or contain ePHI. These entities must also have policies in place to systematically review and monitor audit records to establish that all activity on these electronic systems is appropriate. Logons and logoffs, file accesses, updates, edits, and security incidents are a few examples of activities that should be monitored.

The only obligatory audit is a risk analysis[²], which is required regardless of a provider’s size. In this analysis, providers must accurately determine whether potential vulnerabilities and risks to the integrity, confidentiality, and availability of ePHI exist within their systems. Conventional controls for these audits generally include the application of software, hardware, and/or procedural mechanisms that analyze activity in systems containing ePHI.

Rule 45 CFR § 164.316 states that audit records must be retained for six years[³] from the date of its creation or the date when it last was in effect, whichever is later. Logs of system activity and records of security breaches are examples of information that must be available from audits within six years.

Use a HIPAA compliant patient portal

Implementing HIPAA compliant patient portal software can ensure that your company is always ready for a HIPAA audit. Bridge Patient Portal ensures HIPAA compliance by:

  • Going through multiple rounds of third-party HIPAA audits
  • Being ONC 2015 Edition certified
  • Conducting regular risk assessments
  • Regularly reviewing records of system activity, including audit logs, access reports, and security incident tracking reports
  • Maintaining ePHI integrity requirements by implementing information systems such as checksum verification or digital signatures
  • Employing a full-time compliance officer
  • Auditing is an important part of the Security Rule section of HIPAA but is only a small part of what the rule addresses.

This was the second part of our three-part series discussing the Security Rule section of HIPAA compliant healthcare application development. Catch up on Part 1: What You Need to Know About User Authentication or continue onto Part 3: What You Need to Know About Data Transfer.

  1. LII / Legal Information Institute. (n.d.). 45 CFR § 164.312 – Technical safeguards. [online] Available at: https://www.law.cornell.edu/cfr/text/45/164.312.
  2. Office for Civil Rights (OCR (2010). Guidance on Risk Analysis. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html.
  3. Compliance Deadlines What is the Security Series? (2005). [online] Available at: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf.
Pablo, our Chief Information Security Officer, architected and manages Bridge’s HIPAA-compliant hosting infrastructure. He is an Amazon Web Services (AWS) Certified Solutions Architect and is about to receive a Masters degree from the University of Buenos Aires in Computer and Information Systems Security and Information Assurance. He has a passion for all things related to cybersecurity and cloud hosting.
(Visited 816 times, 1 visits today)

Find us on social media

Patient Engagement Features: