HIPAA auditing tools: tests
HIPAA Weekly Advisor, February 9, 2004
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
HIPAA auditing tools: tests
When you prepare an audit of your security and privacy procedures, you'll need to narrow the focus of the audit, plan your course of action, and select your audit tools. Below are some of the testing tools you may want to use to gather information:
A variety of test formats may be used collect data. Although a test may be similar to a questionnaire in some respects, a questionnaire typically surveys opinions or beliefs, while a test requires an answer that can be deemed correct or incorrect. In addition to a paper-and-pencil type of test (even if administered electronically), tests can also be constructed as more invasive processes. A security test that is becoming popular is the social engineering test, which emulates a social engineer attempting to charm information from someone.
Other security tests are highly technical. They include the following: war dialing, in which a computer is programmed to systematically dial phone numbers until it finds one that connects to a modem; war driving, in which a hacker drives around searching for a wireless access point to tap into; scans to determine vulnerabilities in a network; or penetration tests where active attempts are made to hack a system.
Borrowing from the financial accounting sector, tests may also be statistical in nature, such as cross-footing or hash totals if the data to be collected would lend themselves to such. An example of a less numerically oriented test may be to construct a call-back procedure to verify the identity and authority of someone requesting information.
The preceding excerpt is adapted from the Guide to HIPAA Auditing: Practical Tools and Tips to Ensure Compliance, by HIPAA expert and author Margret Amatayakul, RHIA, CHPS, FHIMSS.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- HIPAA Q&A: Level of encryption needed for email
- Identify potential Medicaid RAC target areas
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched