Here’s A Checklist to Help Prepare for HIPAA Audits

HIPAA has been the law of the land since 1996. The Privacy and Security rules are also now over a decade old. That means there’s little leeway when healthcare organizations make mistakes or fail to maintain standards set out by the law.

If you fail an audit, you will be fined.

Fortunately, HIPAA rules are straightforward, and all that’s required to prepare for an audit is to follow a straightforward checklist.

A HIPAA checklist is helpful even if you believe you’re fully compliant. It ensures you’ve fully updated your systems as you’ve increased your use of technology and identifies any outstanding cybersecurity risks. It’s a methodical way to ensure you’re not assessed a five-figure fine – or even a million dollar fine.

If the Office for Civil Rights (OCR) has scheduled a HIPAA audit for your organization, follow this checklist to right the ship and pass with flying colors.

Why Am I Scheduled for an Audit?

HIPAA audits are a bit like an IRS audit: no one enjoys them, and they may be unpredictable. But they are necessary for ensuring every healthcare organization is doing their fair share to protect patients.

Here are three reasons you might have been selected for an audit:

1. At Random

The OCR randomly selects organizations for an examination to review the policies and procedures you and your business associates use to uphold the Privacy, Security, and Breach Notification Rules.

2. Complaints

The OCR received 173,426 complaints between April 2003 and January 2018. These complaints are often investigated using a HIPAA audit structure.

If the OCR receives a complaint, it’s likely you’ll be audited – even if you aren’t visited straight away. The OCR has found that out of all investigations, only 31% of covered entities or their business partners had not violated the law. The remaining 69% were provided with corrective actions to follow.

3. Self-Reported Breaches

If you’ve experienced a breach and reported the security issue to HHS, then you’ll likely receive a follow-up visit and audit from the OCR.

Your HIPAA Checklist

If you’ve been following the rules, you shouldn’t have any concerns when your audit arrives. But that doesn’t mean you shouldn’t prepare for their arrival.

Self-assessment is the key to avoiding violations and corrective measures. After all, if you’re not assessing, then you’re guessing. In fact, this checklist isn’t just for use before an audit: using regular self-assessments aids in building robust compliance programs and ensuring everyone on site is aware of their responsibilities.

There are four things to take note of before an audit:

  1. Documentation
  2. Proof of Training
  3. Security Incidents
  4. Demonstrate Controls

We’ll break them down for you now:

1. Documentation

HIPAA audits want to ensure all the relevant documents is not only complete but also available and updated. The two most important documents auditors will ask to see are:

  1. Risk analysis
  2. Risk management strategy

These documents provide the details of the risks unique to your organization and demonstrate not only an acknowledgment of those risks but a plan for mitigating them.

Be prepared to hand over documentation outlining the current procedures and policies in place and any related documents.

If this isn’t your first go-round, it won’t hurt to have the results from previous audits on hand.

Finally, put together these documents:

  • Technology inventory
  • Incident response plan
  • Organizational security chart
  • Business associate agreements

Don’t forget: some paperwork will be unique to your practice. It doesn’t hurt to present it in advance to demonstrate your commitment to compliance.

2. Proof of Training

The documentation described above should include evidence of a thorough HIPAA training program provided to staff. However, it’s not enough to demonstrate the existence of a program – you also need to show that it’s being implemented.

Every compliance program should offer a way of assessing or at least demonstrating that key employees have been trained in it.

Proof of training shows that you’re committed to compliance. It also provides some protection for your organization if you’re reporting security breaches, which we’ll cover in the next section.

If you’re able to demonstrate that a training plan was in place and that the breach was not part of standard practice or the result of lax training, you’ll make a better case to the auditor.

3. Security Incidents

If you discover a breach, HIPAA law requires you to notify affected individuals and the Secretary. Although you’re not required to report them to the auditor, it’s good to have all documents related to previous security incidents collected and ready for inspection.

Security incidents happen, and in some cases, you’ll find an intruder on your doorstep, but there won’t be a breach. While you don’t need to report a non-violation, it’s good to share the event anyway. Auditors will ask you about:

  • How you handled the incident
  • Your business associates
  • How vendors protect the data

Remember, ‘no’ is not the right answer when you’re asked about security incidents. HIPAA compliance should protect you from serious breaches, but the threat is always looming regardless of how compliant you are. So, focus on showing the auditors that you take security seriously.

4. Demonstrate Controls

So far in the HIPAA checklist, you’ve collected all the paperwork regarding your risk management strategy and security incidents. However, just as auditors want proof that your employees are trained, they also want to see that you operate the controls.

Be prepared to show that you not only know how to operate the controls but that they are fully functional.

Embrace Your Audit with a HIPAA Checklist

It’s easy to approach the audit as an inconvenience or worse – something to be feared. Rather than worrying about the results, focus on embracing your audit and using this as an opportunity to ensure you and your team are fully compliant.

The best results stem not from presenting mountains of paperwork but from a clear explanation of your security program – a report that shows you understand what exactly what you’re doing and how to protect your patients and staff from serious violations.

Are you facing a HIPAA audit? Use this HIPAA checklist to prepare. If you have more questions or find holes in your security, ask us about our HIPAA compliance solutions, and pass your audit with flying colors.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top