You’ve received notice that you’re going to be audited by the Office of Civil Rights (OCR) for HIPAA privacy and security compliance.  First thing you need to do… don’t panic! Companies survive HIPAA audits all the time. In fact, about 31% of all audits result in no violations and/or corrective action required.

While it’s possible to pass a HIPAA audit, it doesn’t happen by chance; it requires a lot of hard work and due diligence to prioritize security and the controls needed to safeguard protected health information (PHI).  

The key to a successful audit is preparation.  And while it might seem like a daunting task, it really comes down to these 5 steps


#1. Be clear on what assessments need to be conducted

There are 3 assessments required by HIPAA Regulation 45 C.F.R. §164.308(a). While It’s important to conduct each assessment, it’s also important to understand what assessment you are being required to participate in for the audit.  

Too often organizations confuse this fact and prepare for a full-blown risk assessment, which may be unnecessary. So be clear on what the request is, this will help you establish what documentation you are required to submit for review.

  1. Compliance assessment.  This is a non-technical assessment of your organization’s policies, procedures, and training adherence requirements.    
  2. Technical assessment. This is an evaluation to verify technical safeguards of systems containing sensitive information.  Examples may include penetration testing, vulnerability scans, and phishing or social engineering test.
  3. Risk Assessment.  This is a comprehensive class of assessments looking at the risks to the organization and sensitive systems, and the security protocols in place to mitigate the risks.


#2. Get your documentation in order

I can’t stress enough how important it is to have well-documented policies, procedures, and controls. A company that lacks comprehensive documentation is guaranteed to fail a HIPAA audit.  In general, your HIPAA documentation should meet the following requirements:

  • Highly Detailed.  Your workforce and auditors should be able to read your documentation and know what is required, how you enforce policies, and the implications for non-compliance without further explanation.
  • Readily Available. Documentation is not useful if it’s not used.  You need to make sure that your documentation is available to your teams, it’s easily accessible and easy to navigate and understand.    
  • Maintained for 6 years.  According to HIPAA, all records and documentation must be maintained by the organization for a minimum of 6 years.  This includes revisions and change logs to policies and procedures, documented reports of security incidents, assessment outcomes, and other audit evidence, etc.
  • Updated frequently.  Documentation must be relevant and reflect current processes and procedures.  Remember this is a record of what you require as an organization and the controls to enforce those requirements.  If it’s not documented, it’s not happening. Update these as policies and procedures change, but at a minimum, you should reviewing and updating annually.

One other thing to note is that there is a lot of overlap in the different assessments and the documentation required for each. This can make it challenging to structure your documentation in a way that is still easy to navigate and implement.  

We recommend having the following sets of documents with a focus on how you enforce administrative, physical, and technical safeguards of PHI.

  • Policies, Procedures, and Controls.  Policies should be clear on what the expectations are and should reference the federal and state guidelines.  Procedures need to be detailed, clear, and offer specific checklists for how policies will be processed and enforced.  Controls should reflect how procedures are monitored for efficacy and ensure that they are conducted timely.
  • Training Documentation.  Training documents should include not only the training materials but also record that the employee has participated and acknowledged having had the training.  
  • Business Associate Agreements.  Whether you are a covered entity or a Business Associate that contracts with a 3rd party, you must have documentation to support what is required from your Business Associates, how you will enforce these requirements, and implications for non-compliance. You should also have samples of current and/or prior BAA’s maintained by the organization.
  • Risk Analysis.  Auditors will want to see that you have conducted a Risk analysis, the process for conducting the risk assessment, as well as findings from the assessment.  This will be key to showing that your organization has evaluated all risks and has a plan in place for mitigating them.
  • Risk Management Plan.  This goes hand in hand with your Risk Analysis documentation.  This outlines how you prioritize and plan for risks, as well as a track record of actual examples of these procedures.

#3. Conduct your own assessments periodically

One thing that the OCR will be looking for is examples of how you continue to prioritize and enforce required controls and safeguards.  A great way to demonstrate this is to actually conduct the assessments, document the steps you took, and the outcomes from the assessment.  This can be done by internal staff, or do what we do, and hire a 3rd party to come in and conduct the assessment.

If that’s not an option, there are a ton of great resources to help your organization conduct these assessments on your own.  The go-to resources would be the OCR site where they offer a lot of really great training, tips, and toolkits for getting you up to speed.  

I would also recommend visiting the National Institute of Standards and Technology (NIST) publication 800 -30, Guide for Conducting Risk Assessments, which is the standard framework used for HIPAA compliance.


#4. Manage your risk wisely

Depending on the maturity and size of your organization, you may not be able to address all of the findings from your own assessments at the same time, nor should you.  Instead, you will want to prioritize corrective action based on the likelihood of occurrence, Impact on the business(es), efficacy of possible controls, level of effort, and available resources.  

We recommend developing a decision matrix that works for your organization on what risks would be considered critical vs. minor and when to prioritize mitigation vs. monitor. This should be built into the documentation so that an auditor can see how your organization evaluates risk and deals with it where possible.


#5. Make security a priority for all

This is the most important takeaway! Don’t assign responsibility to just one person.  This should be a priority for leadership and the entire workforce. Have a champion or a dedicated Security officer, to train, remind, and enforce safeguards, but recognize that it is an organization-wide priority and responsibility of all.  

Don’t slack on your BAA’s either.  Make sure that you are engaging with vendors that understand the requirements, appreciate the value that HIPAA brings, and embrace the rigors of assessments as an opportunity to improve outcomes and close gaps.  Understand that you must manage your BAA’s with the same level of scrutiny as your own organization, if not more.

Do yourself a favor and do your due diligence up front to avoid the pain and punishment later on.