Time To Audit Your HIPAA Compliance Plan This Important Procedure Will Provide Much More Than Some Peace of Mind

Last month we reviewed the importance of performing a risk assessment as the first step toward achieving compliance with the HIPAA regulations. This month we look at another critical step in achieving HIPAA compliance – the process of auditing your HIPAA Compliance Plan.


Performing a formal audit of your HIPAA Compliance Plan will not only provide feedback to your privacy officer, it will document that your practice is following its own policies and procedures. Most practices have had their HIPAA Privacy Compliance Plan in place for close to two years, but have never audited the Plan. It is good operating procedure to audit your Compliance Plan once every 12 months. Next year’s audit will include auditing HIPAA Security as well.

An audit is an independent appraisal and verification function to examine records and/or activities in order to test the adequacy and effectiveness of procedures; to ensure compliance with established policy; to assess the adequacy of controls, and to recommend improvements. One should have expert knowledge of the HIPAA regulation and a thorough understanding of the audit process.

Little guidance is published to help practices perform a HIPAA Compliance Audit. This article presents a practical approach to HIPAA auditing and will step you through the audit process, the workplan, the work papers, and a few caveats to watch out for.

Typical Audit Process:

1) Review Risk-Assessment (We do this so that we don’t spend valuable time and resources auditing an area that is low-risk to the practice.)

  • Discussions with the practice’s management and key staff take place to identify processes and risks. The practice’s Risk Assessment Report is reviewed.
  • Information gained about risks will be analyzed to define the audit scope, identify key objectives, and help design the audit workplan.

2) Planning

  • Management’s concerns and expectations are solicited.
  • The Objectives and Scope Document that outlines the objectives and parameters of the audit is finalized.
  • Detailed test programs are developed (known as the audit workplan).

3) Testing (This is the step most people think of when the word “audit” is mentioned.)

  • Auditors interview workforce members.
  • Information is gained through the following techniques: review of policies, procedures, forms; performance observation; re-performance; walkthroughs; and review of logs and reports.
  • Regular update meetings are scheduled during field work to communicate progress to date and to discuss potential findings and issues. Always obtain the approval of your findings and issues from management.

4) Communication of Results

  • The results of the audit, findings, and recommendations are submitted to management and key staff for discussion at an “exit meeting” in the form of a draft audit report. A comment period is used by the auditors to allow management and key staff to respond in writing. The comments from management and key staff become an integral part of the final audit report.
  • The final report goes to the shareholders of the practice.

5) Follow Up

  • Significant issues in a final audit report should be followed up upon with a post-audit-review within 6 to 12 months.
  • The audit usually asks the shareholders, management, and key staff to evaluate his/her performance in a quality survey.

The Audit Workplan

The audit workplan is the roadmap that organizes the auditor and the audit process. They go beyond a checklist, providing detailed instructions for the auditor to follow. The HIPAA Compliance Audit workplan should not be purchased – and should be prepared for each practice based on that practice’s unique risk assessment. In light of that, each section of the workplan should reference which area of the risk assessment the testing addresses. The workplan should follow the mandates of the Privacy Rule (and next year the Security Rule as well).

Some practices that have never experienced an audit before might want to contract with a HIPAA audit professional to create the first workplan and perform the first audit.

Work Papers

Since the audit process can help show due diligence if your practice is investigated by the OCR, it’s important to document everything about your audit in your work papers. The work papers should include a narrative of who performed the audit, what the objectives of the audit were, and the methodology used to perform the audit, as well as a description of each test step and when it was performed.

Audit Calendar/Timing:

Remember that auditing the HIPAA Compliance Plan is a journey, and not a task. It’s recommended that you use a combination of the following techniques:

  • Surprise spot checks
  • Continuous monitoring/evaluation
  • Monthly walk-throughs
  • Annual formal audits plus…
    • In the event of a serious unauthorized disclosure of PHI, an impromptu formal audit should be triggered.

All practices should look for efficiencies by combining the HIPAA audit with existing audits. Next year, practices should audit HIPAA Privacy and Security together.

Typical Q&A:

I only have to audit my policies and procedures and rewrite them if necessary, right?

  • Wrong. You have to make sure that your policies and procedures are written, you have to make sure they match the mandates of the HIPAA Privacy Rule, and you have to gather tangible evidence that appropriate operational procedures support your policies. In other words, you have to make sure your practice is doing what it says, and saying what it does.
    My practice is really small … I don’t have to do much, right?
  • Do not skimp on the Audit process. All the work you did to reach compliance could still leave you vulnerable if you don’t audit what you’ve done.
    I can do this audit myself, can’t I?
  • You probably have the skill to perform your own HIPAA Compliance Audit, but you might not have the time.
  • You might want the assurance of another entity or individual that you are in compliance.
    Any words of wisdom for working with consultants?
  • Consultants are “independent” and can perform an audit as long as their independence isn’t compromised. A consultant’s independence would be compromised if the consultant also created any part your HIPAA Compliance Plan.
  • If you work with a consultant, spend extra time planning the audit so that roles and responsibilities are clearly understood and documented.


Auditing your HIPAA Compliance Plan is a journey, not a task. It is one thing on your practice’s ‘to do’ list that is never completed. Aside from completing your practice’s Risk Assessment, it is the most important piece of documentation regarding your HIPAA Compliance Plan.

When done properly, your annual HIPAA Compliance audit should provide the documentation you need to show that your practice’s policies and procedures follow the HIPAA mandates.

Sharon A. Blanchette, CPA, MBA, is an independent health care IT consultant with Northeast HealthCare IT, LLC, collaborating with the Health Care Services Division of Longmeadow-based Meyers Brothers Kalicka, P.C., CPAs and Business Consultants: (413) 567-6101.