Health Insurance Portability and Accountability Act Audit

A SECNAP HIPAA Audit enables clients in the health care industry to assess and improve their compliance positions with respect to requirements of the Health Insurance Portability and Accountability Act.

Following are examples of reviews conducted as part of the HIPAA Audit. Upon completion, findings are presented to the client at three levels: Executive Security Briefing, IT Security Briefing, and User Security Briefing.

Written Security Policy

Review, verify, compare to security component configurations. (If written Security Policies are not in place, the SECNAP Senior Auditor will provide a template and recommendations for the written Security Policy.)

Assess potential risks and vulnerabilities to the confidentiality, integrity and availability of electronically protected health information.

Evaluate and recommend implementation of security measures to reduce risks and vulnerabilities.

Assigned Security Responsibility

Review implementation of procedures to regularly review records of information system activity, including audit logs, access reports, and security incident tracking reports.

Workforce Security

Identify security person(s) responsible for development and implementation of security policies and procedures.

Information Access Management

Review policies and automatic procedures for access control .

Review procedures or policies in place for closing system access to terminated employees.

Assess policies and procedures for granting access.

Security Awareness and Training

Assess authorization procedures, documentation, review and modifications of established users access rights.

Security Incident Procedures

Review procedures for guarding against, detecting, and reporting malicious software.

Contingency Plan

Review procedures for monitoring log-in attempts and reporting discrepancies.

Review current password management policies.

Review policies and procedures that address security incidents.

Review data backup and disaster recovery plans to restore loss of dat.

Review current system monitoring to prevent, detect, contain, and correct security breaches.

Physical Safeguards Facility Access Controls

Review policies and procedures to limit physical access.

Review policies and procedures to safeguard facility and equipment from unauthorized physical access, tampering, and theft.

Review policies for validating an individual's access to facilities, including visitor control and access to software programs for testing and revision.

Review controls in place to prevent unauthorized physical access to information, including workstation use and workstation security.

Review policies and procedures for device and media controls, receipt, removal and movement within facility, and disposal.

Review of procedures for removal of media available for re-use.

Access Control

Review technical policies and procedures for access control.

Review policies for identifying and tracking user identity.

Review emergency access procedures.

Audit Controls

Review policies and procedures for automatic logoff.

Review procedures for encryption and decryption.

Integrity

Assess technical security measures guarding against unauthorized access to electronically transmitted information.

Transmission Security

Review encryption policies for electronic transactions.

Click here to request more information or a free consultation.