Verify and Validate the Current State of Compliance
Health and Human Services officials within the Office of Civil Rights have said that HIPAA-regulated organizations (Covered Entities and Business Associates) must conduct a risk assessment and then maintain it. OCR has penalized organizations who they determined did not meet the requirement. This “requirement,” however, has not been explicitly defined. It is left up to individual companies to determine what is appropriate for them – but you must be careful to implement an audit policy that OCR would ultimately agree is “appropriate” as well.
Here’s what OCR has said:
- An audit should be conducted periodically.
- The entity being assessed should not perform the audit.
Here’s what we recommend:
- An annual assessment or re-evaluation.
Any time there are significant changes to the technical environment or new applications added to business processes or systems, a risk analysis should be conducted. Given the frequent nature of technological changes that will inevitably impact software and hardware within an organization, the entire system should be assessed at least annually.
- A Third Party Audit at least every three years.
While there is no hard requirement for this, the big issues we often see with internal assessments is a lack of knowledge by a person conducting the audit and the difficulty for someone to properly critique the work of their boss or superiors.
In some cases, depending on the rate of change within the organization, every three years is not frequent enough. The maintenance requirement is met by remediation activities and ongoing risk management.
For many organizations, however, the time and expense of a full annual audit is simply unrealistic. Loricca’s Conformance Audit is a supplement to a complete Risk Assessment. A Conformance Audit evaluates the interim maintenance requirement. This lower cost service focuses on evaluating risk management and remediation only. A Conformance Audit ensures that you are performing and documenting the ongoing activities appropriately.
Here’s what we propose:
- Year 1 – Full Risk Assessment
- Year 2 – Conformance Audit
- Year 3 – Conformance Audit
- Year 4 – Full Risk Assessment
Please note that this timetable may not be appropriate for every organization. The Conformance Audit may or may not include network vulnerability scanning or penetration testing, depending on the client needs. To conduct an initial Conformance Audit, we will generally require that an organization has had a full, detailed risk assessment within the last 24 months.
We will work with you to create an assessment policy that only includes the level of assessment that you need, spreads out the cost, and helps you maintain and demonstrate compliance year after year.
If you are in need of a full Risk Assessment or you would like to learn whether a Conformance Audit may be appropriate for your organization at this time, please contact us today.