HIPAA Audit – 5 Tactical Observations to be Prepared

HIPAA Audit Risk Meter

Is your organization prepared for a HIPAA audit? Although random audits from the Health and Human Services Department’s Office for Civil Rights (OCR) are rare, several factors can trigger an audit. Noncompliance stemming from patient complaints and privacy breaches are some of the instances that could lead to bad public relations and heavy fines.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires healthcare organizations to protect patient data and sensitive information. Are you fully compliant with HIPAA regulations? Let’s take a look at an overview of the auditing process and the steps you should take to protect your healthcare organization from unnecessary risk.


Who can be audited?

Anyone who is required to follow HIPAA regulations can be audited by the OCR. This includes covered entities and business associates. These organizations must meet the requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.


What can trigger an audit?

Although random HIPAA audits are rare, they do happen. The OCR states that these random audits are for informational purposes only. However, if a breach is found during a random audit, the OCR will follow up with a compliance review.

Some common audit triggers are:

  • Complaints from patients or employees. Patients can complain for various reasons: Perhaps they found out their information was shared on social media, or they were denied access to their records. Employee complaints are slightly different from patient complaints as they may fall under the whistleblower provision of the Privacy Rule.
  • Prior breaches. If an organization has reported a breach affecting 500 patients or more, it may have caught the attention of the OCR and may be more likely to be audited in the future.
  • Business associates’ (BA) errors. Breaches caused by your Business Associates can create cause for an investigation into your healthcare organization.
  • Security breaches. Getting hacked by cybercriminals, using unencrypted devices, and suffering lost or stolen devices can all lead to the exploitation of patient records, which could trigger a HIPAA audit from the OCR.
  • Previous OCR visits. The more times an organization has been involved in a breach, the higher the chance the OCR will be on the lookout for further violations. Repeat violations for willful neglect of HIPAA rules can result in a maximum fine of $100,000 per violation.


How to prepare for a HIPAA audit.

Preparing for an audit by the OCR may sound burdensome; however, it leads to ensuring your organization is compliant with HIPAA.  What You Don’t Know Can Cost You. HIPAA compliance means not having to pay hefty fines.

To prepare for a HIPAA audit, an organization must take steps to comply with HIPAA regulations:

  • Appoint a compliance officer. This can be an existing employee, a new hire, or a third-party consultant. Outsourcing Healthcare Compliance may be a cost-effective time saver where you get the full benefit of an expert’s knowledge and objectivity.
  • Document. The key to proper documentation is to be well organized, keep your information in one place, and make sure it is readily accessed. Document all your policies, procedures, business associate agreements, employee training, risk assessments, and security incidents.
  • Continue to update HIPAA procedures. Remember, HIPAA compliance is an ongoing process. It’s not a one-time plan, but something that needs to be reviewed, updated, and analyzed often. This is another reason it may be beneficial to outsource the role of the compliance officer. Keeping up with the latest requirements is generally a full-time job and can take up much of an employee’s time.



Conducting self-audits either internally or through a third party is an important part of ensuring HIPAA compliance.

A comprehensive self-audit should include the following steps:

  • Perform risk assessments on electronic protected health information (ePHI). Make sure all messaging apps, telehealth platforms, and other communication methods are secure and encrypted.
  • Review business associate agreements. Keep records of the contracts and review them periodically.
  • Review employee training procedures. Training programs need to be updated when requirements change. For example, with the current pandemic, many employees may be working from home. Protocols for keeping information secure when using home devices and Wi-Fi systems may need to be reviewed.
  • Review your documentation policies. Auditors can request many documents. Keeping these in order will go a long way toward helping your case should you be audited. It helps to have solid proof that you have done everything in your control to be compliant.
  • Complete a HIPAA Risk Assessment using this free checklist!


A HIPAA audit is ongoing.

HIPAA compliance is mandatory, and an audit can be triggered at any time, for many reasons. If a complaint is filed against you, will you be prepared to prove your compliance status? The best preparation for a HIPAA audit is to prepare before it happens. Implement best practices in your organization now to avoid unfortunate public relations occurrences and costly penalties in the future.

When you need proven expertise and performance