The guide to HIPAA audits

HIPAA audits are assessments to ensure that covered entities and business associates comply with HIPAA regulations. Compliance with audit requirements helps covered entities and business associates safeguard PHI, mitigate risks, and adhere to HIPAA regulations.

Table of contents:

• What are HIPAA audits?
• Audit types
• Audit criteria
• HIPAA audit trails
• How to prepare for an audit
• How to respond to a HIPAA audit
• Outcomes and corrective actions
• FAQs

What are HIPAA audits?

In 2016, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated Phase 2 of its HIPAA Audit Program. The purpose of conducting OCR audits is to ensure adherence to HIPAA Privacy and Security Rules.

An OCR HIPAA assessment evaluates an organization's controls, policies, and processes to comply with OCR regulations while protecting PHI. If selected for the audit process, organizations must submit data and documents through a secure portal regarding their adherence to each HIPAA rule that pertains specifically to them. Notification of which specific documents need submission will be provided upon selection for the audit.

Entities found to be non-compliant may receive penalties that range in cost and severity based on the level of culpability. Such levels are gauged by factors like whether HIPAA violations were committed unintentionally and unknowingly versus knowingly with deliberate disregard for regulations.

Audit types

Random audits

These audits involve the OCR randomly selecting covered entities and business associates for evaluation. They aim to provide a broad overview of compliance across different organizations.

Investigative audits

When the OCR receives complaints or reports of potential HIPAA violations, they conduct investigative audits to assess the reported concerns thoroughly. These audits are targeted and specific to the reported issues.

Desk audits

Desk audits are remote evaluations where entities submit documentation requested by the OCR for review. These audits assess compliance through submitted policies, procedures, and other relevant documents.

On-site audits

On-site audits involve OCR representatives visiting the physical location of covered entities or business associates to conduct comprehensive assessments. These audits allow for in-depth examinations of policies, procedures, and practices.

Compliance reviews

These reviews are generally broader assessments that may encompass various aspects of HIPAA compliance. They can involve desk audits, on-site visits, and a comprehensive evaluation of an entity's adherence to HIPAA regulations.

Follow-up audits

If previous audits identified compliance issues or concerns, the OCR might conduct follow-up audits to ensure that corrective actions have been implemented effectively.

HIPAA Security Rule audits

Focused specifically on the Security Rule, these audits assess the implementation of technical, administrative, and physical safeguards to protect electronic protected health information (ePHI).

HIPAA Privacy Rule audits

These audits focus primarily on Privacy Rule compliance, evaluating how entities handle and protect individuals' rights regarding their health information.

Breach Notification audits

Audits in this category examine an entity's response and adherence to the Breach Notification Rule. They assess how entities report breaches of unsecured PHI and manage breach incidents.

Go deeper: The basic elements of a HIPAA compliant breach notification

Audit criteria

Privacy Rule compliance

The Privacy Rule establishes standards for protecting patients' medical records and personal health information. HIPAA audits scrutinize entities to ensure they:

• Obtain patient consent before using or disclosing PHI.
• Provide patients with access to their health information upon request.
• Safeguard against unauthorized access to PHI.
• Train employees on privacy policies and procedures.

Security Rule compliance

The Security Rule addresses electronic protected health information (ePHI) and requires entities to:

• Implement safeguards to protect ePHI from unauthorized access or disclosure.
• Conduct regular risk assessments to identify vulnerabilities.
• Employ technical measures such as encryption and access controls to secure data.
• Develop and maintain contingency plans for data breaches or emergencies.

Breach Notification Rule compliance

Entities must adhere to rules concerning breach notifications, which include:

• Timely reporting of any breach of unsecured PHI to affected individuals, OCR, and, in certain cases, the media.
• Implementing procedures to investigate and respond to breaches promptly.
• Mitigating potential harm caused by breaches and taking corrective actions.

Risk analysis and management

Regular risk assessments will help to identify vulnerabilities and manage risks effectively:

• Conducting comprehensive risk analyses to evaluate security measures.
• Implementing measures to address identified risks and vulnerabilities.
• Regularly reviewing and updating risk management strategies.

Go deeper: How to perform a risk assessment

Documentation and record-keeping

• Document policies, procedures, and compliance efforts.
• Keeping records of risk assessments, security measures, and breach response plans.
• Retaining records for at least six years to demonstrate compliance.

Go deeper: Guidelines for HIPAA compliant documentation and record retention

Employee training and awareness

Educating and training staff members is a HIPAA requirement:

• Provide regular training on HIPAA regulations, privacy, and security protocols.
• Ensure employees understand their roles in safeguarding PHI.
• Test employees' awareness and understanding through assessments.

Business associate agreements (BAAs)

Entities must have agreements in place with business associates who handle PHI:

• Ensuring business associates adhere to HIPAA regulations.
• Implementing contracts outlining responsibilities for safeguarding PHI.

Go deeper: How to know if you're a business associate

Response to OCR audits

Entities should be prepared to respond to OCR audit requests:

• Provide requested documentation promptly and accurately.
• Cooperate with OCR during desk audits or on-site visits.
• Demonstrate transparency and a commitment to compliance.

HIPAA audit trails

• Application audit trails: These logs track user activities within specific applications, recording actions like file access, creation, modification, or deletion of files associated with ePHI. These records let organizations track who accessed sensitive data and what actions were performed.
• System-level audit trails: These logs encompass system-wide activities, including successful and unsuccessful login attempts, timestamps of user logins to applications, and endpoints used to access organizational systems. They provide a view of user interactions with systems and serve as an essential source of information for monitoring access and identifying potential security threats.
• User audit trails: These logs capture user-initiated events and actions within systems, such as commands executed, login attempts, and access to ePHI resources. They help track user behavior, identify anomalies, and monitor compliance with established policies and procedures.

Related: The role of audit trails for HIPAA compliance

How to prepare for an audit

Preparing for a HIPAA audit is crucial for covered entities to ensure compliance with the law and safeguard PHI:

Comprehensive documentation

Policies and procedures

• Document all HIPAA policies, procedures, and protocols comprehensively.
• Ensure policies cover privacy, security, breach notification, risk assessments, and employee training.
• Regularly review and update these policies to align with evolving regulations and best practices.

Record-keeping

• Maintain detailed records of risk assessments, security measures, incident responses, and employee training.
• Retain records for at least six years to demonstrate ongoing compliance.

Employee training and awareness

Regular training programs

• Conduct training sessions on HIPAA regulations, privacy, security protocols, and handling PHI.
• Ensure all employees understand their roles and responsibilities in maintaining compliance.

Testing and assessments

• Assess employees' understanding and awareness through quizzes or simulated scenarios.
• Address any gaps identified in employees' knowledge or compliance practices.

Risk assessment and management

Regular risk assessments

• Conduct comprehensive risk assessments to identify vulnerabilities in the handling of PHI.
• Implement measures to address identified risks and vulnerabilities promptly.

Risk management strategies

• Develop and maintain strategies to manage and mitigate identified risks effectively.
• Regularly review and update risk management plans to adapt to changing threats and technologies.

Business associate management

Contracts and agreements

• Ensure proper agreements are in place with business associates handling PHI.
• Contracts should outline responsibilities and compliance requirements for safeguarding PHI.

Incident response readiness

Response protocols

• Establish well-defined protocols for responding to security incidents or breaches.
• Conduct regular drills or simulations to test the effectiveness of these response plans.

Self-audit and readiness assessment

Internal audits

• Conduct periodic self-audits to assess compliance readiness.
• Address any identified non-compliance issues promptly and proactively.

Readiness assessment

• Evaluate preparedness by simulating scenarios that mimic OCR audits to identify potential weaknesses or gaps.

Collaboration and communication

Internal communication

• Foster a culture of compliance by emphasizing the importance of HIPAA regulations throughout the organization.
• Encourage open communication channels for reporting any concerns related to PHI handling.

External collaboration

• Engage legal counsel or HIPAA compliance experts for guidance and support in preparation.
• Collaborate with IT professionals to ensure up-to-date technical safeguards align with compliance requirements.

OCR audit response readiness

Documentation organization

• Ensure all necessary documentation is organized and readily accessible for potential audit requests.

Staff preparedness

• Educate staff on what to expect during an audit and how to cooperate with auditors professionally.

How to respond to a HIPAA audit

Responding to HIPAA audits requires a strategic and comprehensive approach to demonstrate compliance effectively:

Provide requested documentation

Documentation compilation

• Gather all the required information: Collect and organize all requested documentation, including policies, procedures, risk assessments, training records, incident response plans, and any other relevant materials.
• Accuracy: Ensure the documentation is up-to-date and aligned with HIPAA compliance standards.

Timely submission

• Adherence to deadlines: Submit the requested documentation within the specified timeframe to avoid delays or non-compliance issues.

Facilitate on-site visits and cooperating with auditors

Preparing for on-site audits

• Logistical arrangements: If the audit involves an on-site visit, prepare the necessary facilities and resources to accommodate auditors.
• Access to records: Ensure auditors have access to the required physical and electronic records relevant to the audit scope.

Cooperation and assistance

• Open communication: Maintain open lines of communication with auditors and be responsive to their inquiries or requests during the audit process.
• Assistance and clarifications: Provide auditors with the necessary assistance and clarification to facilitate a smooth audit experience.

Be transparent and commit to compliance improvement

Openness and honesty

• Transparency in communications: Be transparent about compliance efforts, practices, and any identified areas for improvement.
• Addressing challenges: Acknowledge any shortcomings or areas of non-compliance and outline plans for improvement.

Commitment to continuous Improvement

• Proactive approach: Showcase a proactive stance towards compliance enhancement by detailing strategies for ongoing improvement.
• Learning from audits: Use audit findings as learning opportunities to strengthen compliance measures and policies.

Go deeper: 

• How to conduct a HIPAA compliance audit
• Audit Protocol

Outcomes and corrective actions

Following audits, OCR issues findings and recommendations. Covered entities with compliance gaps may receive corrective action plans or penalties. However, proactive remediation efforts positively impact resolution.

Audit findings

Identified compliance gaps

• Auditors may identify areas where the covered entity or business associate falls short of HIPAA requirements.
• Findings could relate to deficiencies in policies, procedures, training, risk assessments, or incident response plans.

Recommendations and corrective actions

• OCR may provide recommendations for corrective actions to address identified compliance gaps.
• These recommendations often come as corrective action plans (CAPs) outlining steps to remedy deficiencies.

Entity response and remediation

Proactive remediation

• Entities that proactively address identified compliance gaps often demonstrate a commitment to resolving issues promptly.
• Taking proactive measures can positively influence the resolution process and mitigate potential penalties.

Corrective Action Plans (CAPs)

• When CAPs are issued, entities must promptly respond with a detailed plan outlining how they'll address the identified deficiencies.
• CAPs typically include specific corrective actions, timelines, responsible parties, and measures to prevent recurrence.

Impact on resolution

Positive resolution

• Entities willing to address compliance deficiencies and implement corrective actions tend to achieve positive resolutions.
• Proactive remediation efforts and a commitment to ongoing compliance improvement can mitigate penalties and enforcement actions.

Penalties and enforcement actions

• Failure to address compliance gaps or implement corrective actions may result in penalties, fines, or other enforcement actions imposed by OCR.
• Penalties can vary based on non-compliance severity and the entity's history of previous violations.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) consists of various rules governing the privacy, security, and breach notification standards for protected health information (PHI). It applies to covered entities, including healthcare providers, health plans, clearinghouses, and their business associates who handle PHI.

Why is HIPAA compliance important?

Compliance with HIPAA regulations ensures PHI's confidentiality, integrity, and availability. Non-compliance can lead to severe penalties, reputational damage, and compromised patient trust.