HIPAA Audit Checklist

The purpose of a HIPAA audit checklist is to audit an entity’s HIPAA compliance by comparing the content of the checklist against existing safeguards, policies, and procedures in order to identify gaps in compliance. Once any gaps have been eliminated, an entity can demonstrate a good faith effort to comply with HIPAA.

When an individual or organization (“entity”) qualifies as a HIPAA covered entity, they are required to comply with all applicable regulations, standards, and implementation specifications of the HIPAA Administrative Simplification Requirements.

Similarly, when a business associate provides a service for or on behalf of a HIPAA covered entity that involves the creation, receipt, storage, or transmission of Protected Health Information (PHI), they are also required to comply with all applicable requirements.

Because there are many different types of HIPAA covered entities and business associates – and because many have different functions – what HIPAA compliance means for one individual or organization may be very different from what it means to another individual or organization.

For this reason, it is necessary for each individual or organization to determine which regulations, standards, and implementation apply to their operation(s), and to implement safeguards, policies, and procedures to comply with the applicable requirements.

How to Start a HIPAA Audit Checklist

The way to start a HIPAA audit checklist is to work out which parts of HIPAA apply to your operations. For example, if you conduct billing and payment activities in-house, it will be necessary to have procedures in place to monitor the correct use of NPIs, transactions codes, etc., and to monitor changes to coding systems such as HCPCS and the National Drug Code.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

If you outsource billing and payment activities, it may still be necessary to have procedures in place to spot check your business associate’s compliance with Part 162 of HIPAA. If a business associate fails to monitor coding changes, it could result in preventable delays to (for example) treatment authorizations, which could lead to enforcement action being taken by CMS.

Other areas of HIPAA which may be operation-specific include the provision of Privacy Notices (often not required by business associates), accommodating HIPAA rights, and the need to remove PHI from physical devices if PHI is stored in the cloud. Examples of other areas of HIPAA that might or might not need to be included in a HIPAA audit checklist are discussed below.

Privacy HIPAA Compliance Audit Checklist

The Privacy Rule generally covers permissible uses and disclosures of PHI (in any format) and individuals’ rights. Interestingly, the majority of complaints to HHS’ Office of Civil Rights relate to impermissible uses and disclosures of PHI, while – in recent years – the majority of enforcement actions have been for failures to accommodate individuals’ HIPAA rights.

To prevent complaints being made to HHS’ Office for Civil Rights and the potential for enforcement actions, covered entities (and business associates where necessary) should look at whether the following should be included in a privacy HIPAA compliance audit checklist:

  • A full understanding of what is considered PHI under HIPAA.
  • Policies for disclosures of PHI that do not require an authorization.
  • Procedures for obtaining valid authorizations from patients.
  • Procedures for responding to individuals exercising their HIPAA rights.
  • Procedures for documenting and retrieving all HIPAA paperwork.

Once any gaps in compliance (or knowledge) have been identified, it will be necessary to develop policies and procedures to fills the gaps, provide HIPAA training to all necessary members of the workforce (all members of the workforce should receive basic HIPAA training), and monitor compliance with policies and procedures – enforcing sanctions when necessary.

HIPAA Security Audit Checklist for Compliance

All covered entities and business associates must comply with applicable standards of the Security Rule. However, the General Security Regulations permit a “flexibility of approach”, while some entities may be able to avoid having to comply with “addressable” implementation specifications if an equally effective option is already in place.

Despite the “flexibility” and “addressable” clauses, each Security Rule standard should be considered before including the standard in – or excluding the standard from – a HIPAA security audit checklist for compliance. The areas of the Security Rule most entities struggle with are:

  • Developing inventory and audit trails for PHI – including Shadow IT.
  • Configuring software once it is implemented to mitigate threats.
  • Providing all members of the workforce with security awareness training.
  • Testing contingency, emergency mode, and disaster recovery plans.
  • Procedures for reporting, escalating, and investigating security incidents.

Testing contingency, emergency mode, and disaster recovery plans in not only necessary for HIPAA compliance. For healthcare organizations, this particular area of a HIPAA security audit checklist for compliance is necessary to comply with the conditions for participation in Medicare. It may also be required by state and local building or licensing codes.

Breach Notification Checklist for HIPAA Compliance

At the time of publication, a breach notification checklist for HIPAA compliance would look no different from a checklist produced in 2009. However, this might soon be about to change. Concerns have been raised about the lack of transparency in breach notifications, and that this prevents individuals affected by data breaches to take steps to protect themselves.

In April 2024, the Federal Trade Commission responded to the concerns by updating the Health Breach Notification Rule. The changes to the Rule for entities not covered by HIPAA require notifications to provide more clarity about the type of breach and the nature of data acquired. It is expected HHS’ Office for Civil Rights will apply the changes to HIPAA breach notifications.

Covered entities (and, where applicable, business associates) should consider how they notify data breaches and the content of breach notifications when producing a breach notification checklist for HIPAA compliance. While not a HIPAA requirement at the time of publication, it is a best practice to give affected individuals as much information as possible about a data breach.

Why You Need a HIPAA Audit Checklist Now

Most students of HIPAA compliance will be aware that enforcement actions by HHS’ Office for Civil Rights have been limited in recent years due to a lack of resources. However, this is not an excuse to be complacent about HIPAA compliance. Indeed, there is a compelling reason to take HIPAA compliance more seriously than before – the threat of litigation.

Although HIPAA does not provide a private right of action for individuals to pursue legal action, dozens of lawsuits have been filed against healthcare organizations following a data breach, claiming violations of state data privacy laws. The frequency is increasing. In the 2024 Data Security Incident Response Report, a 40% increase in lawsuits following a data breach was noted.

As settlements of private lawsuits can be considerably more than settlements for HIPAA violations, covered entities and business associates are advised to compile a HIPAA audit checklist and identify gaps in compliance at the earliest possible opportunity. Those who require help compiling a HIPAA audit checklist should speak with a HIPAA professional.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/