While we tailor every audit to meet each client’s unique requirements and challenges, our roadmap to compliance typically follows a five-phased approach that creates the general framework of each audit. Our goal is to create an efficient, unobtrusive audit so that you can focus on your business, and we can focus on your compliance.
Our team of audit professionals serves our clients by combining knowledge of industry standards and regulatory requirements with proven methodologies and tools to produce cost-effective, value-added results. And what really sets us apart from our competitors is our highly personalized, client-centric level of service. We view ourselves as your business partner and treat our engagements as an opportunity to continuously improve your business processes, rather than a mere exercise in compliance.
(Phase 1): HIPAA engagements are based on the defined principles from the original WebTrust and SysTrust that include specific evaluation criteria; however each company’s scoping requirements can vary depending on the type of services they perform. We will work with you to ensure your compliance standards ISO27001, HIPAA, GLBA, etc. are in alignment with your policies and procedures and help make your security program stronger. We have years of experience working with nearly every industry and work with our clients to ensure that we cover the appropriate scope (Principles under Review). During the scoping and planning phase of the engagement, we’ll provide you with a customized questionnaire and audit request list and complete all planning activities off-site.
(Phase 2): A Readiness Assessment is designed to assess a company’s preparedness for a HIPAA audit. By conducting a thorough gap analysis, our team will assess the current control environment by identifying strengths and providing recommendations for areas that need improvement. We will also review your current policies and procedures to ensure they cover the areas needed.
As part of our detailed recommendations, we will provide a prioritized listing of controls that should be considered for implementation or enhancement prior to the audit (Roadmap to HIPAA Compliance). A Readiness Assessment typically requires two weeks of combined on-site and remote fieldwork and is a valuable and effective assessment that will give you a good idea of where you currently are—and where you need to be.
Based on the outcome of our Readiness Assessment, we will issue a detailed listing of GAPs with supporting recommendations. Management will have the time needed to respond to and/or implement required remediation steps. Post-remediation supporting documentation can be submitted to our client portal for auditor validation to be performed remotely, without the need for additional time on-site. Our goal is to provide sufficient preparation time, guidance, and a remediation period prior to an official report being issued.
(Phase 3): Upon completion of the remediation efforts and auditor validation, the procedures required to issue the report have been completed. This is the first step in proving to customers that an independent third party has audited you, and your organization is on track to continually meet the defined criteria year over year. A readiness assessment is insufficient to provide clients as evidence of having proper controls in place; that’s why our process is designed to include the issuance of a formal compliance report.
(Phase 4): After you have successfully implemented control activities to achieve your HIPAA compliance, maintaining compliance to achieve a renewal HIPAA report is the next objective for most organizations. The control activities implemented during your initial assessment must be followed over a period of time (typically not less than six months). We assist our client by implementing periodic checks during this time to validate control activities are still operating effectively; however, there is no remediation phase at this point. The following outlines the processes that occur immediately after your initial report:
Control Activity Calendar
Interim Audit Requests
This entails a series of interviews with management and process owners to re-confirm our understanding of the system and flow of transactions, identifying existing controls and assessing new controls implemented since the last on-site assessment. This process can last from one day to several weeks depending on the size and number of client site locations.
Testing of Controls
Upon completion of our control testing during the year, your renewal audit report is developed and issued. This report is more detailed than your initial report. It includes additional details regarding the testing procedures performed to validate your controls and processes, and it is designed to meet compliance objectives and requirements for you and your customers. The quality of the report is of utmost importance to us; just like the initial report, we provide a customized draft press release, a HIPAA compliance certificate to place on your website and five professionally bound copies of your final report to share with your existing and/or prospective clients.
(Phase 5): Upon completion of your renewal audit report, planning next year’s audit begins. Phase 5 also includes issuing audit recommendations, providing guidance and agreeing to terms for future engagements.