How to prepare for a HIPAA security compliance audit or investigation

Chad William Koplien

Written by

Government Attorney

Contributor Level 13

Posted over 6 years ago. 111 helpful votes



Why you should be worried about a HIPAA audit

Recently, the Center for Medicaid Services ("CMS" which is an arm under Department of Health and Human Services) sent out a bulletin that threatens random HIPAA audits of covered entities, which will target healthcare providers, insurers, and employers which use self-administered health insurance plans. These audits could be conducted by the U.S. Office of the Inspector General (OIG) or private auditors contracted to carry out the audits by CMS. The authority for these audits is found at 45 C.F.R. 160.300-160.316.


What you need to do to be ready

As a part of this warning, CMS provided a checklist of the type of information that an auditor will demand from the covered entity. I recommend that you review your HIPAA policies and, if feasible, make sure that the procedures and protocols suggested by the audit checklist are implemented. The checklist is located in the link below.



The checklist provides us with a clue as to what may be asked for by an auditor. While HIPAA regulations may not require the actual implementation of each item in this list depending on the nature of the covered entity, to be safe, it is my recommendation that each of the listed items be addressed to determine if the security measure is feasible, and if so, then implement it. You need to document your analysis and know what measures are mandatory and what are addressable under the regulations.


Additional recommendations

1. Conduct an analysis of what "addressable" items listed in the checklist have not been included in your policy, and then, in working with your IT department, generate the necessary documentation to support a conclusion that the item is either feasible or infeasible. 2. You need to have a companion records management and retention policy, and incorporate this (or at least cross reference it) within the HIPAA policy. 3. Review Business Associate Agreements and Third Party Administrator Agreements to ensure the items referenced in the checklist are addressed.


What is a covered entity?

Use the CMS chart in the link below to see if your company qualifies as a covered entity.

Additional Resources

Conduct an Internet search for additional web articles and information on the issues discussed above.

Security Rule Compliance Checklist Website

CMS Covered Entity Chart

Rate this guide

Can't find what you're looking for? Ask a Lawyer

Get free answers from experienced attorneys.


Ask now

25,147 answers this week

3,298 attorneys answering