security compliance

HIPAA Security Compliance Assessment — What Is It and How To Prepare for It

In the first six months of 2020, hackers breached medical databases a shocking 285 times. All told, they stole the private records of almost 32 million Americans. These figures represent an alarming new trend.  

Increasingly, hackers are targeting medical records in their quest to steal Americans’ identities. Unlike credit cards, the information in patients’ records can’t be easily canceled and re-issued, leading to long-term challenges for patients and providers alike.  

In response to this trend, the HHS is cracking down on security compliance among covered entities. Keep reading now to learn how to protect your patients’ records from hackers and how to protect yourself from HIPAA violation fines using a HIPAA security compliance assessment.

What Is a Hippa Security Compliance Assessment?

A HIPAA security compliance assessment is a comprehensive review of a covered entity’s information safety and security. It looks at:

  • Information technology systems
  • How staff and partners handle patient records
  • How staff and partners handle equipment that contains or can access patient data
  • System backups
  • Staff knowledge of and training on HIPAA requirements related to information security

The goal of an assessment is to evaluate how compliant an entity is with HIPAA rules and regulations. An assessment will also identify:

  • Potential weak spots that could provide an opportunity for a data breach
  • Misinformation or poor training among staff and partners
  • Focal points for future upgrades or improvements 

All of this information is critically important. 

Who Needs to Complete an Assessment and Why?

Per HIPAA law, all healthcare providers, their partners, and other covered entities must complete a HIPAA compliance audit at least once a year. If possible, they should conduct additional assessments if:

  • Any part of their information management system changes
  • They identify a potential problem through other means 
  • They gain or lose partner agencies or businesses

Why is a HIPAA risk assessment so important? First, risk assessments protect patients by shielding their personal information from thieves. 

Second, risk assessments protect providers from data breaches. This keeps their reputations intact and prevents them from having to pay huge penalty fines after a breach. 

Third, a HIPAA audit can help providers invest their time and resources wisely. For example, an audit will help you see where your organization is doing well and where the weak points are. That will enable you to wisely invest in the areas where additional resources will make a positive difference.

What to Expect From an Assessment

What should you expect during a HIPAA assessment? The exact process may vary depending on the size, structure, and operations of your organization. In general, however, you can expect a few key things no matter what. 

Document Review

The auditor will review all of your company’s documentation. This includes contracts and agreements with other businesses, providers, and organizations. They will compare your contracts to HIPAA standards and make sure they are aligned.   

Training Review

The auditor will review employee training records to verify that employees are being appropriately trained on HIPAA compliance. They may interview employees or observe them for evidence of failure to comply with HIPAA standards.

The auditor will also look at how your internal processes are implemented to verify that slip-ups are not creating the potential for data loss. 

Hardware and Software Assessment 

The auditor will examine your company’s:

  • Hardware
  • Software
  • Digital systems
  • Data security measures 
  • Emergency plans in the event of a breach
  • Backup systems  

They will ensure that each piece of your system complies with HIPAA regulations. When appropriate, they will highlight opportunities for improvement or best practices you might apply. 

When the audit is over, the auditor will review your score with you. They will also review recommendations for how you might improve and may help you establish a plan and timeline for implementing those changes. 

How to Prepare

Preparing for an audit is straight-forward. The first step is to appoint an auditor. You may choose someone from within your organization or hire an outside expert. 

Second, appoint a person within your organization to be responsible for responding to and acting on audit results. This may or may not be the same person performing the audits. 

Third, create a list of parter and associate agencies. Collect any relevant contracts and other information about these entities so that your auditor can review them. 

Fourth, make sure your staff understands the importance of the audit. Encourage them to be honest and cooperative at every step. Auditors cannot help you protect your patients and staff if they do not get accurate information. 

Finally, get your audits and follow-up steps on the schedule to ensure that they happen and do not fall through the cracks or get forgotten in the bustle of everyday business.  

The Value of a Third-Party

Whenever possible, it is in the best interest of every covered entity to have a third-party conduct their HIPAA risk assessment

Even the most ethical in-house auditors are prone to bias, though it is often unintentional. They can make assumptions based on what they already know about a process or a department.

They may be too familiar with company standards to think “outside the box.” They may also simply lack the broader experience to identify and recommend opportunities to implement new or different strategies that would be to the company’s benefit.

Third-parties bring a clean, unbiased view to the table. They do not make assumptions and can better identify places where information is inferred or assumed instead of being spelled out in documentation as it should be. 

Third-parties also tend to have experience that is both deep and broad. They can view the business in a larger context. This enables them to offer creative alternatives and suggestions that an in-house person might not be aware of or familiar with.

Finally, a third-party auditor provides accountability. They can help hold an organization to their standards, their timelines, and HIPAA regulations. This provides the best possible outcomes for everyone. 

Learn More

Protect your business from hackers and legal penalties. Contact us today to learn more about how our HIPAA compliance experts can help you bring every aspect of your business into security compliance with HIPAA standards. 

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top