HITECH / HIPAA Audit

This service reviews various aspects of your HITECH / HIPAA compliance strategy and processes, including the implications of the newly enacted HITECH Act. The HITECH Act gives HIPAA more prominence and an enhanced enforcement regime. As co-authors of the HIPAA Survival Guide, we have spent a considerable amount of time not only reviewing and dissecting the statute and regulations, but developing a pragmatic approach to assist clients in moving forward on the compliance continuum.

The audit we conduct uses the methodology embodied in our H² Compliance Scorecard^sm which is based on a number of analytical frameworks (introduced in the December 2009 issue of our newsletter). Click on each framework below for a description:

• The Organizational Framework
  
• The Legal Framework
  
• The HITECH Framework
  
• The Breach Notification Framework
  
• The HIPAA Security Rule Framework
  
• The HIPAA Privacy Rule Framework
  
• The Audit Framework
  
• The Technology Framework
  

As a practical matter (i.e. as opposed to a question of law), compliance exists along a continuum; this is the tension that exists between rule and reality. A simple but effective way to describe this continuum is shown below.

Obviously, the further along you are in the continuum the better your "good faith" legal argument becomes, if/when you may be required to articulate one to a government agency or in response to private litigation.

This service is designed to help clients "jumpstart" their efforts to build (or rebuild) a good compliance story, recognizing that HIPAA / HITECH compliance is an iterative process. The HITECH Act transforms HIPAA from a paper tiger to one with "electronic teeth" and an eagerness to pounce; covered entities and business associates will have to consider both HITECH's carrot and its stick.

What does it cost?

The cost is between $5,500 and $7,500 USD depending on the complexity of the client's requirements. An upfront review is conducted and then a fixed fee within the stated range is quoted.

What does it cover?

• A review of your existing HIPAA / HITECH agreements, processes and procedures.
• The provisioning of supplemental agreements and recommendations with respect to processes and procedures grounded in the statute and applicable regulations.
• An action plan with tasks and objectives that will assist the client in moving from the "as is" compliance state to the "to be" state.
• The provisioning of an index of available resources that will assist the client in meeting its compliance objectives.
• A HITECH / HIPAA compliance score based on our H² Compliance Scorecard^sm
  methodology.

What are the deliverables?

The final deliverable is an audit report which contains supplemental agreements, recommended changes to processes and procedures, and an action plan for moving forward. 

Why should an organization conduct a HIPAA/HITECH audit?

Think of it as a kind of insurance policy. An audit helps protect your organization from the downside risk of HIPAA non-compliance. Any organization with "no HIPAA compliance story" to tell is clearly at risk for a finding of "willful neglect" under the HITECH Act. Furthermore, significant breaches regarding personal health information (PHI) garner national media attention which negatively impacts your organization's reputation and increasingly exposes it to private litigation. Courts and government agencies tend to be much more empathetic to organizations that have performed the necessary due diligence and are actively engaged in improving their compliance effectiveness.