How To Prepare For A HIPAA Audit

While a HIPAA audit is something you might be dreading, it is necessary. They can be intimidating and stressful, but they are an important part of protecting crucial information.

Healthcare information is one of the most highly targeted areas for cyber attacks; the information company Experian predicts that it will be “the most targeted sector” in 2017.

A HIPAA audit does not have to be a nightmare. Taking the proper steps before the audit can make the whole experience smoother.

So in this article, we are going to take you through some simple ways to prepare for a HIPAA audit.

Perform Internal Audits

Conducting your own audits is something that can prevent you from dealing with violations when you are audited in the future.

By doing internal audits, you will be able to both find and resolve problems within your system before the official HIPAA audit.

These self-checks should be done somewhat regularly in order to identify new issues that may arise over time.

Having these internal audits will also mean you understand the risks or vulnerabilities your organization has instead of being surprised and confused at a HIPAA audit’s findings.

Have HIPAA Audit Documentation Ready

It should come as no surprise that there’s a multitude of documents you’ll need for a HIPAA audit.

Your Organization’s Policies and Procedures

Obviously, your organization needs certain policies and procedures regarding security and protection.

What might not be so obvious is that you need to have these policies and procedures written down.

Besides being able to showcase your security set-up and procedures to auditors, having your policies well-documented will make it easier to follow them.

Some of the policy documents you should have are:

  • Incident Response Plans
  • HIPAA Security Rule Policies
  • HIPAA Privacy Policies

Training Documents

All of these policies and procedures should be well known by your staff, and they should receive training about each one.

Employees also need HIPAA specific training in order to be familiar with all policies protecting security and privacy.

While training is mostly only required to be conducted annually, it can’t hurt to do training more frequently.

This will ensure that your employees have a very good understanding of all of the procedures, how to perform them, and know when changes or updates have been made.

Auditors will often check to see if employees know the policies and procedures, so training is crucial.

In terms of documentation, be sure to have training/employee manuals, a record of training dates, as well as staff signatures indicating training has taken place. These manuals should also be readily available to all of your employees.

Risk Analyses

A risk analysis is an analysis of the potential risks that your organization faces.

It should be comprehensive and cover any area where there are potential vulnerabilities or the possibility of a security breach.

This includes not only electronic records and healthcare data, but also paper records, physical records, doctor notes, etc.

There are specific guidelines for a risk analysis, and you must be sure to document when this risk analysis is done.

You’ll also need to document a risk management plan that is made in response to the risk analysis. This plan should detail how you are going to address the risks found during the risk analysis.

Other Documents

While these are the main types of documents you should have ready, there are many more that you should have as well.

These include:

  • Prior audits and their results
  • Details of where information is stored
  • Inventory of technological equipment (computers, fax machines, printers, etc)
  • What security tools are currently being used
  • Training materials
  • Business associate agreements

Set Up Some Safeguards

Something else that will be looked at during the HIPAA audit will be what safeguards you have in place.

According to the risk analysis or any internal audits you have had done, you should know what specific vulnerabilities you and your organization faces.

Keep the results of previous audits and your risk management plan in mind as you decide what safeguards you need.

There are certain safeguards that you must implement to protect PHI; these safeguards can range from technological to physical to administrative in nature.

Be sure to have these things in place in order to protect the information you have.

You can protect the information in a number of ways.


To protect data and information from malicious software, there are a number of types of “scanning” software you can download that will provide protection.

They will essentially “scan” and look for potential harm and security vulnerabilities.

You should also use technology to protect certain accounts from hackers or a security breach.

Maintaining a list of your technology is also crucial, as it will give you a general understanding of where everything is stored (and as we said in the documentation section, auditors often want to see an inventory of technology equipment used to store data).


Physical protection of data could involve storing documents and data in a particular room that is locked or has limited access.

You could also opt for storing the data in specific files that can be secured in particular areas with limited access by staff. This would also mean keeping information organized and maintained to check there is nothing missing or tampered with.


This goes back to our section on training.

Having your employees understanding your particular procedures is crucial, as they have direct contact with a lot of this healthcare data and information.

Besides having training on the guidelines of procedures and policies, the staff must also be trained on what to do in the event of a potential breach.

They need to be trained on how to notify that there has been a breach, as this has specific HIPAA guidelines that would surely be checked over during an audit.

Limiting the access to information to a certain number of people also provides security for this information, as access will be restricted and thus more controlled.

Bottom Line

A HIPAA audit is a process that seeks to improve the security of essential information.

While the process itself can be daunting, hopefully these tips we gave you will help you understand what you’ll need to make it as easy on yourself as possible.

We’re here to help. We provide a comprehensive and affordable HIPAA compliance solution and a number of additional resources that can help you be prepared should the auditors come knocking.

If you have any questions or comments, please feel free to contact us!

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top