HIPAA Auditing: What's Involved

Assured Tech Services is certified to get your office protected from the 351 data breaches in 2018 resulting in the compromise of over 13 million healthcare records.

What does that prove? HIPAA auditing is more important than ever before.

Are your healthcare organizations handling private healthcare information in a secure way? Are you ready for an audit? How can you prepare?

Keep reading for our top HIPAA tips.

Why is HIPAA Important

Healthcare records getting leaked can cost people their livelihoods. It leaves them at risk for discrimination and violence. There are many standards that medical facilities must adhere to for the safety and privacy of their patient's healthcare records.

A HIPAA audit confirms these measures are in place. Audits also provide notice about where there are gaps in security.

A Refresher on HIPAA and What It Entails

HIPAA security standards safeguard patient healthcare records. The four major sections of HIPAA security include:

  • Physical Security

  • Administrative Security

  • Technical Security

  • Policies, Procedures, and Documentation Requirements

The HIPAA security standard outlines how to safeguard each of these sections.

Only a small number of people have the keys to unlock physical information. Secure locked cabinets keep these files safe.

The administrative component is the proper implementation of safeguard procedures. There needs to be documentation of the rules you've put in place for your staff to adhere to HIPAA guidelines.

Technical security includes encryption of any email communications. Also, maintaining a secure and private virtual server for data. This could include keeping all sensitive information only on one or two machines.

It requires HIPAA-specific IT protocols and an IT team that understands how to maintain security.

You'll need to create your specific policies, procedures, and documentation requirements that your staff and patients must adhere to. You'll want to make your patients aware of their HIPAA confidentiality rights and have them sign a page confirming they have received them.

What Does a HIPAA Audit Cover?

HIPAA audits are exhaustive and cover every aspect of your office's security measures. This includes going through the measures put in place but also includes minor things like employees keeping medical records flipped upside down on their desks and remembering to lock their computers when they walk away.

The audit confirms that you are not susceptible to a breach during regular business operations.

How well-versed is your staff on the standards? Do they understand why they are important? The auditor will check everything you have put in place for security. 

How do you prepare for an audit? You need to implement your security plan and run quizzes with your staff. Stage a few practice audits throughout the time prior to the auditor arriving.

It's a good idea to have a practice audit at the end of training for any new employee as well. This confirms they understand and are well trained on the importance of HIPAA security.

Which IT Security Systems Do You Need for HIPAA Compliance?

As outlined in our HIPAA Audit Checklist, HIPAA IT security includes a number of important items. The security team will make sure the following protections are in place:

Secure User Identities and Creation of Access Records

You need a system that identifies and tracks users that can access electronically protected health information (ePHI). These systems assign an ID number to each employee and require logins for any database that includes protected information.

Most offices will also install cameras at all entry and exit points within the office to confirm the information on the access records matches up.

Emergency Access Procedures

Offices need specific procedures that cover how to access ePHI during an emergency. If there is a fire, how will you get to the information? Make sure the whole office knows where the keys are.

Keep electronic files on an encrypted memory disk. Then, keep it in a secure location in the office. 

Identity Authentication

You must have procedures that offer verification of the identity of anyone seeking access to ePHI. These procedures involve giving everyone on the staff a key card with a specific number attached. They also have a specific login to all electronic records for the activity log.

Session Control

Your system needs to log all user activity. The log must include how long the user had access to protected data. Keystroke tracking of any changes to the data is also included in the activity log.


A certain period of time where the user is inactive will implement an auto-logoff and lock of the system. This safeguards against someone forgetting to lock their computer. Less than 5 minutes is ideal so there isn't a large gap of time between leaving the workspace and the system locking down.

Data Encryption

Encryption of every piece of information that crosses your firewall is essential to security. Encryption is the process of breaking down information into an unreadable jibberish during transfer. This prevents the interception of the information by unintended parties.

The implementation of these systems is best done by a professional medical IT specialist

HIPAA Is No Joke, Take Patient Privacy Seriously

Preparing your offices for HIPAA auditing can be daunting. The implementation of these security practices takes a lot of manpower, time, and financial resources. However, the payoff is the safety and security of every patient who walks through the door.

Failure of an audit can result in huge fines against the office. Following HIPAA protocols ensure the safety of your patient base and avoid legal and financial ramifications.

Are you having trouble getting your office compliant? Do you need some professional help to get your systems in line? We have your back at Assured Tech Services. 

Contact our office at 248-243-7160 for more information.