Are you on the hook to undergo a HIPAA audit, but you’re not quite sure where to start? Otava recently passed its annual HIPAA audit of its Michigan data centers, giving the company the ability to offer HIPAA compliant hosting solutions to healthcare organizations that need to pass HIPAA audits of their own.
Avoiding hefty fines and collecting federal incentives were major motivators of the healthcare industry to adopt electronic medical record (EMR) systems by 2015, in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Our HIPAA audit means that a certified, independent auditor audited our processes, policies, facilities and hosting solutions against the latest OCR HIPAA Audit Protocol, which was released in June 2012 after the initial federal pilot audit program. The Office for Civil Rights is the governing body and enforcers of HIPAA violation penalties. The OCR HIPAA Audit Protocol covers the HIPAA Security Rule, Privacy Rule and Breach Notification Rule.
An example of a high level HIPAA Security Rule citation compliance checklist can be seen to the right – we are found to be fully compliant by each safeguard’s standards and citations.
For each Administrative, Physical and Technical safeguard, there are a number of standards that a covered entity (CE), or business associate (BA) must pass to complete an audit. A BA provides a service for a CE, and may need to access PHI. Although Otava never accesses PHI under any circumstances, it is common in the IT and hosting provider industry to sign a Business Associates Agreement (BAA) that codifies their commitment to follow HIPAA rules.
One important distinction between a business associate’s audit and a covered entity is that as a healthcare organization dealing with PHI, you still need to undergo an audit to check your company’s processes and procedures. Your IT company may provide the technology to transmit and store your patients’ PHI, but you are still held accountable by HIPAA standards.