In This Article
Types of HIPAA Audits
Understanding what type of audit you might face helps you prepare appropriately:
OCR Audits
- Desk audits: Document requests reviewed remotely
- On-site audits: Comprehensive review at your location
- Compliance reviews: Triggered by breach reports or complaints
Other HIPAA-Related Audits
- Customer audits: Healthcare customers reviewing your compliance
- Internal audits: Your own compliance assessments
- Third-party assessments: Independent reviews for assurance
Key Principle
OCR's audit protocol is based on the actual regulatory requirements. Auditors will ask you to demonstrate compliance with specific standards, not just show you have policies. Be prepared to show evidence that controls are implemented and operating.
Risk Analysis Evidence
Risk analysis is the #1 audit focus. Be prepared to provide:
- Risk analysis methodology documentation
- Complete risk analysis report (current)
- ePHI asset inventory
- Data flow diagrams
- Threat and vulnerability identification
- Risk ratings (likelihood × impact)
- Risk treatment plan
- Evidence of periodic reviews/updates
- Risk management decisions and approvals
Common Audit Questions
- When was your last risk analysis conducted?
- How did you identify all ePHI locations?
- What threats did you consider?
- How do you determine likelihood and impact?
- What actions resulted from the risk analysis?
Policies & Procedures Checklist
Core Documentation
- Information Security Policy
- Privacy Policy
- Acceptable Use Policy
- Access Control Policy
- Incident Response Policy
- Breach Notification Procedures
- Business Associate Management Policy
- Disaster Recovery/Contingency Plan
- Sanction Policy
- Training Policy
Policy Documentation Requirements
- Version control and revision history
- Approval signatures and dates
- Review dates (must be within last year)
- Evidence of communication to workforce
- Retention for 6 years from creation or last effective date
Administrative Safeguards Evidence
Security Management Process
- Risk analysis documentation (see above)
- Risk management plan and progress tracking
- Sanction policy with examples of application
- System activity review logs and records
Assigned Security Responsibility
- Security Officer designation letter/documentation
- Job description with security responsibilities
- Evidence of Security Officer activities
Workforce Security
- Authorization procedures for ePHI access
- Clearance/background check procedures
- Termination procedures and checklist
- Recent termination records showing access removal
Security Awareness & Training
- Training program materials
- Training completion records for all workforce
- New hire training documentation
- Security reminders/awareness communications
- Phishing awareness training records
Security Incident Procedures
- Incident response procedures
- Incident log/tracking system
- Sample incident reports and resolutions
- Incident response testing records
Contingency Plan
- Data backup procedures and schedules
- Backup test/restore records
- Disaster recovery plan
- Emergency mode operations plan
- DR testing results
- Business impact analysis
Business Associate Management
- Inventory of all business associates
- Executed BAAs for all business associates
- BA due diligence/assessment records
- BA compliance monitoring records
Physical Safeguards Evidence
Facility Access Controls
- Facility security plan
- Access control logs (badge swipes, visitor logs)
- Physical access authorization lists
- Emergency access procedures
- Maintenance records for security systems
Workstation & Device Security
- Workstation use policies
- Workstation security controls (screen locks, cable locks)
- Device/media inventory
- Media disposal procedures and records
- Mobile device management documentation
Technical Safeguards Evidence
Access Controls
- User provisioning procedures
- List of all users with ePHI access
- Role-based access control matrix
- Password policy and configuration screenshots
- Session timeout configurations
- Emergency access procedures
- Access review records (quarterly/annual)
Audit Controls
- Audit logging configurations
- Sample audit logs
- Log review procedures and records
- Log retention settings
- Alerting configurations
Integrity Controls
- Data integrity procedures
- Authentication mechanisms for ePHI
- Error correction procedures
Transmission Security
- Encryption standards documentation
- TLS/SSL certificate inventory
- VPN configurations (if used)
- Email encryption policies and tools
- Evidence of encryption implementation
Authentication
- Authentication policy
- MFA implementation evidence
- Password complexity requirements
Privacy Rule Evidence
- Notice of Privacy Practices (current)
- NPP acknowledgment forms
- Privacy Officer designation
- Authorization forms
- Minimum necessary policies and procedures
- Access request handling procedures
- Amendment request procedures
- Accounting of disclosures procedures
- Privacy complaint log
Breach Notification Evidence
- Breach notification policies and procedures
- Breach risk assessment template
- Breach log (even if no breaches)
- Notification templates
- Records of any past breaches and notifications
Audit Preparation Tips
- Organize by standard: Map your evidence to specific HIPAA requirements
- Create an evidence index: Know where every document is located
- Verify currency: Ensure all policies have been reviewed within 12 months
- Check signatures: All policies should show approval
- Test your controls: Don't wait for auditors to discover gaps
- Prepare personnel: Key staff should be able to explain their roles
The best time to prepare for an audit is before you know one is coming. Maintain your compliance program year-round, not just when facing an audit. OCR investigations often start from breach reports or complaints - you won't have advance notice.