Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community
Visit the Audit Guidelines Knowledge Center community
The Health Insurance Portability and Accountability Act (HIPAA) was created to provide privacy and security for protected health information (PHI). While HIPAA provides covered entities with standards for safeguarding PHI, the Health Information Technology for Economic and Clinical Health Act (HITECH) also plays a role in the security of PHI through its establishment of breach notification requirements.
Assurance that covered entities comply with HIPAA is through the efforts of the U.S Health and Human Services’ Office for Civil Rights (OCR). In addition to investigating complaints alleging non-compliance with HIPAA, the OCR also conducts audits of covered entities and their business associates. Resolution of complaints can either be the OCR facilitating compliance through corrective action or through issuance of formal findings. On the other hand, the outcome of an audit by the OCR may range from the OCR issuing guidance to the OCR initiating a compliance review, if the compliance deficiencies are significant enough.
Objective: Given the potential for OCR involvement in a covered entity’s HIPAA efforts, the objective of ISACA’s Health Insurance Portability and Accountability Act (HIPAA) Audit/Assurance program is to provide a means for entities to internally evaluate their processes, controls, and policies.
Scope: Having identified any potential gaps between their practices and HIPAA’s requirements, corrective action can be taken prior to an OCR audit or compliance review. The audit areas include, but are not limited to, the following:
Authentication: There are risks associated with having sensitive information available to users as well as the security of the locations from which users request access. Accordingly, the audit program covers authentication associated with users as well as non-user authentication (such as a server that communicates electronically with another server that hosts sensitive information).
Access Management: An organization’s access control program must assure that data integrity and data confidentiality are not compromised as a result of unauthorized access. Given HIPAA’s objective of providing privacy for health information, access is an important part of the audit program.
Continuous Monitoring: This is essential to ensure that access violations are identified, evaluated for risk, and escalated to the appropriate information security professional for investigation or addressed to prevent recurrence. The audit program addresses data integrity from a monitoring perspective and security incident response in the event an incident does occur.
As an IT audit and assurance professional, you are expected to customize this document for your unique assurance process environment. Use it as a review tool or starting point to modify for your purposes, rather than as a checklist or questionnaire. Keep in mind that to use this document for maximum effectiveness, you should hold the Certified Information Systems Auditor (CISA) designation or have the necessary subject matter expertise to conduct your assurance process while under the supervision of a professional who holds the CISA designation.