The new year, as well as the new decade, is just around the corner. The HIPAA Security Rule mandates periodic assessments of security risks performed by Covered Entities (CEs) and business associates (BAs). It is important to note that the HIPAA Security Rule provides flexibility in the way audits are conducted for a particular facility or system, taking into consideration various aspects, including the size, complexity, technological infrastructure, and most likely the severity of the security risk. Here are some suggestions to help prepare for a HIPAA compliance audit:

Focus on HIPAA Training for Employees

Training of staff members is crucial for understanding HIPAA standards for HIPAA compliance. Employees who aren’t coached or aren’t familiar with working with HIPAA Compliance software or regulations could increase the chance of failing an audit. Document your coaching and prove to the OCR (Office of Civil Rights) that you’re committed to the instruction of your employees.

Security Risk Audits

Note any operational, organizational, or structural changes in the last year (e.g., mergers or accession, new construction) and incorporate any new areas or departments into your audit strategy. Auditing your security risks regularly can aid you in preparing for an audit conducted by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Document the Policies

Your last evaluation A list of the mitigated risks, HIPAA policies, guidelines, and controls in place, along with evidence and confirmation of these guidelines and procedures.

Use Spreadsheets

Using spreadsheets to record the audit response to everything from security of facilities to encryption protocols to responsibility insurance. We suggest employing a GRC software program to collect data, monitor risk profiles, create action plans, and track progress.

Select a Security Assessment and Privacy Officer

HIPAA mandates an officer for security and privacy for every covered entity and business. This doesn’t need to become a new employee; however, you will need an individual who is accountable for the security and protection of PHI. They must demonstrate the efforts taken to comply with regulations. The officer must also go through agreements with business associates. The OCR will also discuss third-party agreements that deal with electronic health information protected electronically.

Review of Policy Implementation

While it’s crucial to record the guidelines and procedures, it’s equally crucial to determine how they are applied. The OCR will look at how these policies and procedures are applied to daily business operations and whether they’re followed consistently. Meet with your employees to determine if the policies are being implemented. If employees struggle to adhere to rules, then make time to look into the issue and modify them. Develop a plan of action for the audit.

Conducting an Internal Audit

Internal auditing is the best method to find the flaws in your system prior to the OCR audit. Conducting regular internal audits will aid in resolving issues before they become fines. Keep your staff alert and ease the burden of the actual audit. In the best way, go through your procedures and policies the same way as an auditor. Check if the policies are in line with the purpose of the regulation and can improve security and privacy for patients.


Thus, healthcare providers and business partners must prepare an analysis of risk and management, documenting data management, security, and coaching plans for a HIPAA audit. To do this in the first place, they must join reliable HIPAA compliance organizations such as and seek their help.

Categorized in: