HIPAA and Phase 2 Audits – An Auditor’s Perspective for Dental Organizations

The auditors are coming….the auditors are coming!

Earlier this year, the Department of Health and Human Services (HHS) announced it was beginning its second phase of HIPAA audits with reports indicating there could be as many as 400 audits in the coming year.  Who are they targeting?  HHS has narrowed down the field to two categories – covered entities (dental practices and dental organizations) and business associates (any partner or vendor that has access to patient’s private information) – so everyone.

I have no crystal ball, and I do not work for HHS.  As an auditor who has spent almost 20 years in the depths of security and fraud, I can tell you we tend to follow the risk in the medical world – it is everywhere and in practices of all sizes.

Now before you change the locks on your practice door, or the address on your website, most of the audits will be remote desk audits – no one with a pocket protector – just you responding to a bunch of inquiries from the government.  If someone shows up at your practice, you probably have much, much larger concerns.

So how does a practice prepare in the event an audit?  If you like details, the HHS Office of Civil Rights (OCR) publishes its detailed audit methodology (or protocol) on its website, aside from that, the following are some examples request that an auditor could make:

  • Security and privacy policies and procedures are always the starting point.  This includes incident response and breach notification procedures.
  • Results of risk assessment activities including:
    • Annual risk analysis and self-assessment
    • Asset inventory where PHI may be stored including servers, laptops, and mobile devices as well as any cloud services (like Dropbox) that may be used formally or informally
    • Results of vulnerability scans and penetration testing findings
  • Evidence of security awareness and training
  • Publication of notification of privacy practices to patients
  • Review and risk assessment of business associates with whom the practice may share personal health information (PHI)
  • Evidence of security monitoring and example alerts from firewalls and/or intrusion detection and prevention systems

To the degree the auditor wants to go to the next level of seeing how a practice meets its obligations, the following are the technical controls that would be explored further.  It is less likely that these would be assessed during a remote “desk audit.”

  • Facility access controls and physical security
  • Firewall configurations
  • Access control configurations (user IDs and passwords)
  • Data encryption capabilities
  • Mobile device security

Generally speaking, auditors follow the “say what you do and do what you say” approach.  For that reason, almost all assessments, including HIPAA, start with policies and procedures.  From there, be prepared to show how you follow those policies.  These documents and control evidence should be organized by HIPAA requirement and readily accessible (electronically).  This will make an audit go from a lengthy open ended activity to one that is short, gets the auditors to nod their heads and move on to a more target rich environment.

About the Author

Douglas Barbin is a member of the advisory board for Data Guardians Pros where he advises the executive team on how the DGP platform can help dental organizations meet their security and compliance obligations.  He is a principal at Schellman & Company, LLC the leading independent CPA firm focused solely on security and compliance services where he leads the security assessment lines of business, overseeing hundreds of audits annually.  He is certified public accountant (CPA), certified fraud examiner, certified information system security professional (CISSP), and holds dual degrees in Accounting and Administration of Justice from Penn State and his MBA from Pepperdine.