Tips for Passing a HIPAA Audit: Best Practices for Covered Entities

Online Tech
December 13, 2011 — 1,281 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

Are you on the hook to undergo a HIPAA audit, but you're not quite sure where to start? Online Tech recently passed a HIPAA audit of our Michigan data centers, giving us the ability to offer HIPAA compliant hosting solutions to healthcare organizations that need to pass HIPAA audits of their own. Avoiding hefty fines and collecting federal incentives are major motivators of the healthcare industry to adopt electronic medical record (EMR) systems, in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA Compliant ChecklistOur HIPAA audit means that a certified, independent auditor reviewed each paragraph of the HIPAA statute and confirmed that our processes and procedures were aligned with the standards. There are 19 HIPAA standards with controls stipulated in HIPAA version 1.2.1, and 54 HIPAA citations, including the complete set of 136 audited components.

An example of a high level HIPAA citation compliance checklist can be seen to the right – we are found to be fully compliant by each safeguard's standards and citations.

For each Administrative, Physical and Technical safeguard, there are a number of standards that a covered entity (CE), or business associate (BA) must pass to complete an audit.

A BA provides a service for a CE, and may need to access PHI. Although Online Tech never accesses PHI under any circumstances, it is common in the IT and hosting provider industry to sign a Business Associates Agreement (BAA) that codifies their commitment to follow HIPAA rules.

What are some best practices that you, the CE, should do to help with passing your audit?

  • Document data management, security, training and notification plans.
  • Use a password policy for access.
  • Encrypt PHI, whether it is in a database or in files on a server. Although not required by HIPAA, it is strongly suggested and considered best practice to do so while stored in the database, and especially during transmission. More encryption considerations:
  • Always use SSL for web-based access of any sensitive data.
  • Encryption techniques and mechanisms of sensitive information should be known to only a select few.
  • Content such as images or scans should be encrypted and contain no personally identifying information.
  • Don't use public FTP – use an alternative method to move files.
  • Only use VPN access for remote access.
  • Use login retry protection in your application.
  • Document a disaster recovery plan.
  • Save money and time by hosting with a company that already has a BAA in place – that way your auditor can review the document instead of conducting another audit on top of yours.

One important distinction between a business associate's audit and a covered entity is that as a healthcare organization dealing with PHI, you still need to undergo an audit to check your company's processes and procedures. Your IT company may provide the technology to transmit and store your patients' PHI, but you are still held accountable by HIPAA standards.

With federally funded audits planned through the end of 2012, it's advisable to begin the EMR and audit process now, if you haven't already started.

Need more HIPAA compliance information? Read more about the features of a HIPAA compliant data center.



Online Tech

Online Tech (, the Midwest's premier managed data center operator, serves a growing demand for data and computing capacity in small and mid-size businesses. Through its high availability SAS 70 data centers, Online Tech delivers a range of hosting services including colocation, managed dedicated servers, private cloud hosting, and disaster recovery. Online Tech's Michigan data centers operate under SSAE 16 compliance, allowing its clients to meet all of their PCI compliant hosting, HIPAA compliant hosting, and SOX compliant hosting needs. For more information call (877)740-5028.