14.2 HIPAA EVALUATION OR AUDIT

In the original proposed HIPAA regulations, the concept of Security Certification [or audit] was first introduced. When the final regulations were introduced, this 'required certification' was changed to be a periodic evaluation and implementation of security policies and can be performed either by your internal staff or by an external firm.

As has been previously covered, entities that are covered under these regulations must:

'Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
Ensure compliance with this subpart by its workforce.' ^[1]

An audit or evaluation that tests your Information Security Controls in compliance with HIPAA should first and foremost be a means to review and ensure that your systems are being compliant with 'reasonable' industry practices. A HIPAA audit however, should not be seen as merely a 'checklist' audit but a means to ensure that your security process is being constantly monitored and improved. Due to the nature of the regulations, the guidance for a HIPAA audit can come from many industry sources. Ranging from the National Institute of Standards and Technology ^[2] , Internet Engineering Task Force Site Security Handbook ^[3] , the COBIT, the Control Objectives for Information and related Technology ^[4] , to FISCAM (Federal Information System Controls Audit Manual) ^[5] , Generally Accepted System Security Principles sponsored by the International Information Security Foundation (I ² SF) ^[6] , Principles and Practices for Securing IT Systems ^[7] to the Principles and Criteria for Systems Reliability (AICPA), Version 2.0 ^[8] , a variety of resources can be used to form guidance for your firm's compliance audit.

'Evaluation' is the Eighth administrative standard:

Evaluation: Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to the environmental or operationally changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirement of this subpart. ^[9]

WEDi/SNIP

^[1] http://www.wedi.org/snip/public/articles/45CFR160164.pdf, 45 CFR PART 160-

GENERAL ADMINISTRATIVE REQUIREMENTS AND 45 CFR PART 164-

SECURITY AND PRIVACY Andrew H.Melczer, Ph.D. Security and Privacy Workgroup

^[2] Risk Management Guide for Information Technology Systems http://csrc.nist.gov/ publications /nistpubs/80030/sp80030.pdf

^[3] Internet Engineering Task Force Site Security Handbook, September 1997 Taken from http://www.ietf.org/rfc/rfc2196.txt?number=2196

^[4] http://www.isaca.org/cobit.htm

^[5] http://www.gao.gov/policy/12_19_6.pdf

^[6] http://www.auerbach-publications.com/dynamic_data/2334_1221_gassp.pdf

^[7] http://csrc.nist.gov/publications/nistpubs/80014/80014.pdf

^[8] http://www.aicpa.org/assurance/systrust/edannoun.htm

^[9] http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/pdf/033877.pdf