Setting Up a HIPAA Compliance Audit: Step-by-Step Checklist

Image of content creator smiling for camera
Written by Katherine Zheng, PhD, BSN Content Writer, IntelyCare
Image of content creator for bio page
Reviewed by Aldo Zilli, Esq. Senior Manager, B2B Content, IntelyCare
A physician checks patient records on a laptop.

All staff members in healthcare settings are legally required to maintain the security and privacy of patients’ protected health information (PHI). Facility leaders are expected to not only implement safeguards to protect this data, but also to conduct routine HIPAA compliance audits that minimize the risk of unwanted breaches.

With so many different modes of patient data transfer and storage, you may be wondering how to streamline an audit at your facility. In this article, we’ll outline the key steps of this process to help you set up an effective HIPAA audit protocol.

Feel free to download and tailor our HIPAA compliance audit checklist sample below.

What Is a HIPAA Compliance Audit?

Under the federal Health Insurance Portability and Accountability Act (HIPAA), healthcare facilities are required to implement various administrative, physical, and technical safeguards to protect their patients’ information. An audit involves a comprehensive review of these safeguards to verify ongoing compliance to these regulations.

While the Office of Civil Rights (OCR) conducts periodic HIPAA audits of facilities, it’s just as important for facilities to conduct their own internal audits on an annual basis. This ensures that any deficiencies are addressed in a timely manner, also reinforcing the accountability and responsibilities of all staff members at a facility.

Why Is HIPAA Compliance Important?

Beyond its legal implications, HIPAA compliance is crucial for maintaining patient privacy and trust. Facilities that fail to comply with all HIPAA standards increase the risk of exposing sensitive patient data, which can result in lawsuits, heavy fines, or even criminal charges. All major HIPAA violations also become part of the public record, which can impact a facility’s long-term reputation.

7-Step Checklist for Ensuring HIPAA Compliance

While HIPAA requires facilities to implement safeguards that protect PHI, it does not mandate the use of any specific tools or measures. So, when conducting an internal HIPAA audit, compliance should be reviewed based on your facility’s individual structure and needs.

The following 7-step checklist is designed to help you get started setting up a HIPAA compliance audit. Example items are listed under each step, but these items may vary based on your facility’s policies and procedures.

1. Check in With Your HIPAA Compliance Leads

The first step in your audit process should be checking in with the leaders responsible for overseeing HIPAA procedures at your facility. These are the experts who have a strong understanding of regulatory requirements and help enforce HIPAA standards among staff. Working with these leads will ensure that your audit covers all necessary systems, tools, and procedures at your facility.

It’s also important to establish who audits HIPAA compliance at your facility. This is most commonly done by a HIPAA security or privacy officer, but you may also want to assign different people to audit the various sectors and systems.

Examples of HIPAA compliance leads:

  • Security officer
  • Privacy officer
  • Director of staff training
  • Incident response lead
  • System/hardware specialists

2. Review the Physical Security of the Environment

Physical safeguards refer to the protection of facility rooms or areas in which PHI is stored and accessed. For this next step, you’ll want to ensure that all workstations, care units, and any other physical spaces where patient information is being handled is properly secured.

Examples of physical safeguards:

  • Secure PHI disposal bins
  • Locked cabinets storing paper records
  • Visitor access controls
  • Biometric scanners

3. Review ePHI Storage and Access Controls

Next, you’ll want to assess the technical safeguards that protect the electronic PHI (ePHI) stored in clouds, computers, or devices. These reinforce the physical safeguards within the environment to ensure that ePHI can’t be accessed or used inappropriately.

Examples of technical safeguards:

  • Encryption of all stored and transmitted ePHI
  • Multi-factor authentication for system access
  • Monitoring systems that log staff activity
  • Automatic log-off features

4. Run Risk Assessment Procedures

Running regular risk assessments is an important way to identify deficiencies in your facility’s HIPAA safeguards and policies. This step involves conducting comprehensive analyses on how the PHI at your facility is accessed, transferred, and stored.

Examples of risk assessment procedures:

  • Identifying potential cyberthreats and response plans
  • Interviewing staff to identify gaps in HIPAA competencies
  • Conducting vulnerability analysis on access controls
  • Evaluating firewall configurations and network segmentation

5. Update HIPAA Training and Education Programs

The HIPAA privacy rule requires facilities to provide training to all new staff or those who are impacted by changes in institutional policies. So, after you’ve reviewed your safeguards, you’ll want to make sure that your staff training programs reflect the most updated information.

Examples of HIPAA training topics:

  • PHI identification, storage, and disposal
  • Incident response procedures
  • Secure communication practices
  • Medical device access controls

6. Ensure Your Business Associates Are Maintaining Compliance

Next, you’ll want to conduct a HIPAA compliance audit on your business associates. This includes any vendors or partners that have access to your patients’ health information. It’s important to ensure that your business associate agreements are up-to-date and that all contract terms are being upheld.

Examples of business associates:

  • Electronic health record (EHR) vendors
  • Medical transcriptionists
  • Consultants and lawyers
  • Medical device providers
  • Telehealth platform providers

7. Implement a Breach Notification Plan

Finally, be prepared to report any data breaches that do occur. The breach notification rule requires facilities to notify all affected individuals and relevant government entities when PHI is accessed by an unauthorized party. Implementing a structured reporting process ensures compliance with these rules and enables you to take corrective action in a timely manner.

Examples of breach notification processes:

  • Notifying all affected patients
  • Filing a report with the Department of Health and Human Services (HHS)
  • Issuing notices to media outlets

Get More Tips on Healthcare Compliance

Setting up a routine HIPAA compliance audit is one of many ways to maintain privacy and security at your facility. Seeking more ways to protect your staff and patients? Get dozens of expert-written insights into healthcare management, compliance, and more delivered straight to your inbox.


Stay in the know

with the latest industry
insights and trends