HIPAA Audit: HIPAA Compliance for Security

The Department of Health and Human Services’ (DHHS) Office of e-Health Standards and Services released a 2-page document with the Sample – Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Audit Reviews.

To download PDF: Official DHHS released HIPAA Audit Checklist

View HIPAA Audit Checklist released by DHHS

The HIPAA Security Rule establishes the requirements for the Risk Management implementation specification, Audit Controls, and Evaluation standards.

The main objective of a HIPAA audit is to ensure that healthcare organizations and their business associates comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations. These audits aim to assess the security and privacy measures to safeguard patients’ protected health information (PHI). By conducting HIPAA audits, regulatory bodies can identify any potential vulnerabilities or non-compliance issues and work towards strengthening the overall protection of sensitive health information.

Risk Management Implementation Specification

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Audit Controls Standard

Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI (e-PHI).

Evaluation Standard

Conduct regular assessments, both technical and non-technical, to showcase and record adherence to the entity’s security policy and the mandates outlined in the HIPAA Security Rule.

The Risk Management standard necessitates organizations to consistently pinpoint, choose, and implement controls, countermeasures, reporting mechanisms, and verification processes to attain an optimal risk level at an acceptable cost.

Furthermore, organizations must iteratively identify vulnerabilities in electronic PHI and other information assets, implementing suitable security measures to mitigate risks reasonably and appropriately.

Organizations must surpass mere compliance with the HIPAA Security Rule, which is confined to electronic PHI. They should appraise their security needs for all PHI and information assets. Compliance assessment can be conducted internally, with external resources, or collaboratively.

The Security Rule mandates covered entities to periodically scrutinize their security safeguards, providing evidence and documentation of compliance with the entity’s security policy and the stipulations of the Security Rule.

Objective of HIPAA Audit and Evaluation for HIPAA Compliance

The objective of the HIPAA Audit includes the following activities:
1. Assess if all vulnerabilities have been addressed.
2. Verify that all compliance requirements have been met.

HIPAA Citation
HIPAA Security Rule Standard Implementation Specification



164.308(a)(1)(i) Security Management Process
164.308(a)(1)(ii)(B) Risk Management


164.308(a)(8) Evaluation



164.312(b) Audit Controls


Risk Management

Risk management aims to establish adequate security measures that sufficiently decrease risks and vulnerabilities to a reasonable and suitable level. According to NIST, risk is defined as the overall negative impact resulting from exploiting vulnerability, considering its occurrence’s likelihood and consequences. Risk is influenced by the probability of a specific threat source using a potential vulnerability and the subsequent impact on the organization. The risk management involves identifying, evaluating, and taking measures to mitigate risks to an acceptable level.

In security, professionals commonly describe risk management as a systematic approach to recognizing, choosing, and implementing controls, countermeasures, reporting mechanisms, and verification processes. The ultimate aim is to attain an appropriate level of risk at a justifiable cost.

Audit Controls

The Audit Control standard aims to establish hardware, software, or procedural measures that capture and analyze activities within information systems handling electronic protected health information. Organizations must evaluate the deployment of mechanisms to record and scrutinize system activity, identifying suspicious data behaviors. The audit capability should enable tracing to the device and the user, holding individuals accountable for their actions according to the security policy. These policies guide procedures for responding to audit alarms or discrepancies.

Audit controls can be applied to systems, networks, applications, or other technical processes. The covered entity needs to specify the duration for retaining audit log data, ensuring it is sufficient to investigate inappropriate access instances.

The organization must define authorized personnel for accessing the system’s audit log data and establish secure storage and protection protocols, particularly for data containing protected health information. Audit trails may serve as evidence in legal proceedings, so it is crucial to safeguard their integrity, preserving their utility for such purposes.


The Evaluation standard aims to conduct regular technical and non-technical assessments, initially aligned with the standards set forth in this rule. Subsequently, evaluations are adjusted in response to environmental or operational changes affecting electronic protected health information security. This process determines the extent to which an entity’s security policies and procedures align with the requirements of this subpart.

Covered entities are mandated to evaluate their security safeguards periodically, providing evidence of compliance with the entity’s security policy and the Security Rule requirements. These assessments should consider changes in the security environment since the last evaluation. The evaluation can be carried out internally or by an external accrediting agency, acting as a business associate and encompassing technical and non-technical security aspects.

A robust system of audit trails is crucial for an organization’s security strategy. It aids in ensuring the confidentiality, integrity, and availability of e-PHI and other essential information, thereby preventing violations of HIPAA laws.

HIPAA Audit Checklist released by DHHS’ Office of e-Health Standards and Services

Sample – Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Audit Reviews

1. Personnel that may be interviewed

  • President, CEO, or Director
  • HIPAA Compliance Officer
  • Lead Systems Manager or Director
  • Systems Security Officer
  • Lead Network Engineer and/or individuals responsible for:
    • administration of systems that store, transmit, or access Electronic Protected Health Information (EPHI)
    • administration systems networks (wired and wireless)
    • monitoring of systems that store, transmit, or access EPHI
    • monitoring systems networks (if different from above)
    • Computer Hardware Specialist
    • Disaster Recovery Specialist or person in charge of data backup
    • Facility Access Control Coordinator (physical security)
    • Human Resources Representative
    • Director of Training
    • Incident Response Team Leader
    • Others as identified….

2. Documents and other information that may be requested for investigations/reviews
a. Policies and Procedures and other Evidence that Address the Following:

  • Prevention, detection, containment, and correction of security violations
  • Employee background checks and confidentiality agreements
  • Establishing user access for new and existing employees
  • List of authentication methods used to identify users authorized to access EPHI
  • List of individuals and contractors with access to EPHI to include copies of pertinent business associate agreements
  • List of software used to manage and control access to the Internet
  • Detecting, reporting, and responding to security incidents (if not in the security plan)
  • Physical security
  • Encryption and decryption of EPHI
  • Mechanisms to ensure the integrity of data during transmission – including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives)
  • Monitoring systems use – authorized and unauthorized
  • Use of wireless networks
  • Granting, approving, and monitoring systems access (for example, by level, role, and job function)
  • Sanctions for workforce members in violation of policies and procedures governing EPHI access or use
  • Termination of systems access
  • Session termination policies and procedures for inactive computer systems
  • Policies and procedures for emergency access to electronic information systems
  • Password management policies and procedures
  • Secure workstation use (documentation of specific guidelines for each class of workstation (i.e., on-site, laptop, and home system usage)
  • Disposal of media and devices containing EPHI

b. Other Documents:

  • Entity-wide Security Plan
  • Risk Analysis (most recent)
  • Risk Management Plan (addressing risks identified in the Risk Analysis)
  • Security violation monitoring reports
  • Vulnerability scanning plans
    • Results from the most recent vulnerability scan
  • Network penetration testing policy and procedure
    • Results from the most recent network penetration test
  • List of all user accounts with access to systems that store, transmit, or access EPHI (for active and terminated employees)
  • Configuration standards to include patch management for systems that store, transmit, or access EPHI (including workstations)
  • Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI
  • Organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI
  • Examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures (security awareness training)
  • Policies and procedures governing the use of virus protection software
  • Data backup procedures
  • Disaster recovery plan
  • Disaster recovery test plans and results
  • Analysis of information systems, applications, and data groups according to their criticality and sensitivity
  • Inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI
  • List of all Primary Domain Controllers (PDC) and servers
  • Inventory log recording the owner and movement media and devices that contain EPHI

Let us help you complete your HIPAA Compliance with an audit.

Please get in touch with us for more information at Bob@HIPAAcertification.net or call (515) 865-4591.

View HIPAA Security Policies and Procedures