HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How to Prepare for a HIPAA Compliance Audit

In 2011 the Department of Health and Human Services’ Office for Civil Rights developed an audit program to assess the state of healthcare compliance. The pilot audits, which started in 2011 and were completed in 2012, uncovered numerous violations of HIPAA Privacy, Security and Breach Notification Rules.

Only 11% of audited entities passed the audits with no observations or violations, while more than 60 percent of the audits uncovered security standard violations.

The OCR was lenient on offenders and did not issue major fines for non-compliance issues, instead action plans were developed to help the audited organizations implement the necessary safeguards to protect healthcare data.

The OCR is not expected to be as lenient during the second phase of the audit program, which is due to commence later this year. The second phase is likely to see organizations fined for HIPAA violations in line with the new penalty structure introduced with the Omnibus Rule of 2013.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Phase 2 of the OCR Compliance Audit Program


One of the aims of the pilot round of audits was to discover which aspects of the Health Insurance Portability and Accountability Act were not being followed. After analysis of the results, the OCR developed the second round of compliance audits, which will specifically target those areas of HIPAA which resulted in the most violations. Risk analyses, patient access rights to their healthcare data and the issuing of breach notifications will be a major focus of the second round of audits.

The introduction of the Omnibus Rule in 2013 expanded the reach of HIPAA to include business associates and their subcontractors, and they too will be audited as part of the second round, along with healthcare providers, health plans and healthcare clearing houses.

With the second round of audits now looming closer, all covered entities are advised to revise and update policies and procedures and must ensure that all HIPAA Privacy and Security Rules are being followed. With this in mind we have prepared a checklist covering the aspects of HIPAA Privacy and Security Rules which the OCR auditors are expected to assess.

How to Prepare for the Second Round of Compliance Audits


Risk Analyses – Under the Security Rule, all covered entities must conduct a comprehensive risk analysis to identify all potential vulnerabilities which could be exploited by hackers looking to steal ePHI and personal identifiers of patients and health plan members.

The risk analyses must cover all IT systems which can potentially touch healthcare data and all devices which can be used to access ePHI and personal identifiers. The risk analysis must also include paper records, x-rays and other physical records such as doctor’s notes.

A risk analysis is not a one-time event. It is a procedure which should be conducted on a regular basis, in particular after a material change in HIPAA legislation. Auditors will be checking to make sure that this is the case.

Risk Management – Any security issues discovered during the risk assessment must be addressed and the appropriate safeguards implemented promptly to address those risks. Auditors will be looking closely at the actions taken to manage risks and will expect those actions to have taken place in a reasonable time-frame.

List all Business Associates – If a covered entity is selected for audit, one of the first requirements will be to compile a list of all business associates. Lists should be created and maintained with up to data contact information. The OCR will use those lists to select BAs for audits.

Addressable Security Standards – Under HIPAA, many security standards are addressable, not mandatory. If a covered entity has elected not to adopt any addressable implementation standards, auditors will require documentation explaining why the standards have not been addressed and what alternative measures have been employed in their place to safeguard data.

Breach Notifications – A HIPAA-covered organization is required to have policies and procedures in place to deal with a security breach to ensure notifications can be issued in a reasonable timescale. Policies and procedures must reflect the content requirements as stipulated in the Breach Notification Rule.

Notices of Privacy Practices – Notices of privacy practices must be issued. NPPs should cover all instances under which ePHI and personal identifiers will be used, and under what circumstances patients will be contacted. A website privacy policy is required, but this in itself is insufficient under HIPAA Rules.

PHI Safeguards – Under the Security Rule, all covered entities must implement the appropriate technical, physical and administrative safeguards to protect all patient health data and personal information. This applies to electronic records as well as physical records such as doctor’s notes, paper files, x-rays, microfilm and all other forms of data. Access to the records must also be restricted and controlled.

Equipment inventory – Covered entities are required to maintain an inventory of all electronic equipment which is used to store, transmit, access or copy data. Any equipment with a hard drive or other data storage device must be included on the list. This includes PCs, laptops, portable storage devices, fax machines, digital printers and photocopiers.

Staff Training – All staff must receive training on HIPAA Privacy and Security Rules, including its responsibilities to maintain HIPAA standards. All training must be documented and should be signed by each member of staff to confirm that it has been received.

Physical Security Plans – A physical security plan must exist for all locations where Protected Health Information is stored.

Transmission of ePHI – Any system which is capable of transmitting ePHI must use data encryption to secure the data during transit. This includes all equipment in use under BYOD schemes. If data encryption is not used to protect PHI, there must be a documented reason as to why this is not the case, along with details of the alternative controls that have been used instead.

Decommissioning of Equipment and disposal of PHI – Before digital equipment is decommissioned the data stored on the devices must be securely and permanently erased, while physical records must be rendered indecipherable or destroyed in a secure environment.

Failure to Comply with HIPAA Regulations


The Office for Civil Rights has the power to issue fines for non-compliance up to a maximum of $1.5 million per violation category, per year, regardless of whether the violation has resulted from willful neglect of ignorance of HIPAA Rules.

Covered organizations are therefore advised to check to make sure that all issues identified by the risk analysis have been addressed and all procedure and policies are up to date with current HIPAA regulations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.