Medical Practice Health IT Audits: 10 Reasons to Review Your Tech

April 28, 2014

Medical practices are no strangers to audits. But health IT audits are critical to the financial, legal, and operational success of your office.

Physician practices are used to undergoing audits. They undergo meaningful use audits and payer claims review audits, and may even face tax and RAC audits. But one type of audit that is not often discussed but is absolutely critical for practices to undergo is an information technology (IT) audit.

In short, an IT audit is a comprehensive review and examination of IT in use within a practice. It has many purposes that are critical to the short- and long-term financial, legal, and operational success of a practice.

Here are 10 things you should know about IT audits and why your practice should consider scheduling one today.

1. IT audits detect security and compliance gaps. The primary reason practices should undergo an IT audit is to mitigate risk. An IT audit will identify gaps in security that may allow a data breach of unsecured protected health information, which is a HIPAA violation. The audit will provide a practice with an understanding of areas of security and compliance that require remediation.

2. IT audits help improve work flow. Some IT auditors will provide an analysis of a practice's workflow to determine whether there are opportunities for changes that will bring about improvement in productivity. These changes might be as simple as moving a scanner to a location that is more easily accessible to staff members to leveraging new types of technology that can improve employee productivity, such as providing employees with dual monitors.

3. IT audits assess inventory. Practices should always know exactly what technology is used in their facility. An IT audit will provide a practice with such a comprehensive list. Using this inventory assessment, a practice will know, for example, whether it needs to purchase new technology when new employees join or when technology needs to be upgraded or replaced, such as systems using Windows XP as an operating system (now that Microsoft has ended support of XP).

4. IT audits should be conducted by a qualified third party. This is true regardless of whether or not a practice has a current IT provider in place. By bringing in a third party, you're more likely to receive a truly objective report. In addition, if you work with an IT provider that lacks extensive healthcare experience, the provider may not be aware of the nuances of HIPAA laws, for example. An outside company with healthcare experience can help identify areas in need of improvement specific to healthcare IT.

5. IT audits should be conducted on a regular basis. For smaller practices, it is best to undergo an IT audit every year; larger entities should consider undergoing one every six months because of the increased likelihood of compliance issues developing as a result of their more complex operations. By conducting regular IT audits, you will reduce the likelihood of gaps developing while helping ensure you have the most efficient workflow possible.

6. IT audits are usually conducted one of two ways. They are:

• Agentless. If you do not want anything installed on your computers, an IT auditor can run a network and hardware analysis using a bevy of different auditing and assessment software tools. These tools do not actually sit on the systems. Rather, they run from an engineer's laptop that is connected to the local network being assessed. The programs will scan everything on your entire network and then generate the report, which should include analysis of everything noted earlier: gaps, work flow, inventory assets, etc.

• Installed agents. Another way to undergo an IT audit is to allow for what are called "assessment agents" to be installed on your computers. The assessment agents will run for about a few days and will collect multitudes of detailed information on the hardware, software, patches and much more. This not only provides a 50,000-foot overview, but allows an IT auditor to drill down and learn about every single facet of your entire network. The auditor can look at everything from software licensing issues all the way down to whether the manner in which a printer is setup is slowing down your network. Using assessment agents will yield a much richer report with much more accurate and detailed data than using the webpage-based software.

7. IT auditors should sign a business associate agreement. Before you begin the audit process, it is required that you have the IT firm sign a business associate agreement. It's important to note that the IT company performing the audit must follow HIPAA security and compliance policies and procedures required by a business associate. Once on your network, the IT firm has essentially full carte blanche access to your information. Note: Without usernames and passwords to access your EHR, an IT auditor cannot view patient data or access a secured database unless you have patient medical records stored unsecured.

8. During a merger/acquisition, all parties need to perform IT audit. The audit is critical for company valuation and for the controlling party to learn what technology they're acquiring. Without an audit, it will be significantly more difficult to merge the IT of the organizations and develop an effective workflow between them.

9. IT auditors should provide you with the report. A trustworthy IT auditor will provide you with all of the information gathered during the audit and not hold the information hostage until you sign a contract to have the issues identified during the audit addressed. Make sure this clause is included in the contract you sign with an IT auditor.

10. IT auditors should review and test backup and disaster recovery. A critical IT function of any physician practice is its backup/disaster recovery. It's imperative that any IT audit include a detailed review of the backup policies and procedures. The principal areas that require review are as follows:

• Backup logs
• Retention policies
• Data restores
• Mock disaster testing
• Disaster recovery plan
• Documentation