December 20, 2023 by Bojana Krstic

6-Step HIPAA Audit Checklist for Healthcare Organizations

Not passing a HIPAA audit can lead to fines and penalties, as HIPAA isn’t only a legal requirement — it also fosters trust in the entire healthcare ecosystem.

In this article, we’re preparing your organization by going over:

  • What HIPAA audits are.
  • The best HIPAA audit checklist for complete compliance.
  • Common HIPAA violations.
  • How email archiving fosters HIPAA compliance.

Just looking for a quick HIPAA audit checklist?

Here are the key steps (more info later in this guide):

  • Assess your organization — Conduct a risk assessment and check for hidden security gaps in your organization.
  • Set administrative policies — Set up protocols and policies meant to safeguard protected health information (PHI).
  • Secure physical environment — Create strategies for guarding the physical environment where the protected health information (PHI) is stored.
  • Take technical measures — Utilize the latest security technologies and transmission protocols to prevent unauthorized access.
  • Implement organizational requirements — Manage all of your organization’s partnerships, agreements, and obligations.
  • Create an incident response plan — Set up protocols in the case of patient information breaches.

What Is a HIPAA Compliance Audit?

A HIPAA compliance audit is a yearly inspection performed by the US Health and Human Services (HHS) Office for Civil Rights (OCR) to examine how HIPAA-covered entities and Business Associates handle protected health information (PHI).

During a HIPAA audit, the focus is put on ensuring that the healthcare organization being
audited adheres to all HIPAA requirements and implements proper HIPAA processes.

These audits are designed to evaluate the effectiveness of an entity’s policies, procedures, and security measures to protect the confidentiality, integrity, and availability of PHI.

Failing to pass the HIPAA audit brings with it a set of consequences depending on the severity of the violation and the organization’s responses to the findings. These consequences may include penalties and fines, increased oversight, damage to reputation, or corrective plans.

To circumvent this, the best course of action is to utilize a HIPAA audit checklist and implement necessary changes before the HIPAA audit happens.

6-Step HIPAA Audit Checklist

Complying with HIPAA isn’t an easy job for any healthcare organization and audits just make it harder, but following the right guidelines will set you up for full compliance.

Use this HIPAA audit checklist and take the key steps for your organization to prepare for a HIPAA audit:

  • Assess Your Organization — Conduct a risk assessment and uncover hidden security gaps in your organization.
    • Thoroughly review all HIPAA rules and regulations and how you are handling them.
    • Analyze previous data breaches and HIPAA non-compliance situations.
    • Document all deficiencies you found.
  • Implement Administrative Safeguards — Set up protocols and policies meant to safeguard protected health information (PHI).
    • Develop and implement necessary security protocols and procedures uncovered after the assessment.
    • Designate a security officer to oversee and implement security measures.
    • Document the new security measures and create employee training plans.
    • Provide employees with security awareness training.
    • Implement access limitations to patient information based on employee roles.
  • Implement Physical Safeguards — Create strategies for guarding the physical environment where the protected health information (PHI) is stored.
    • Develop and implement security policies to control physical access to physical storage facilities.
    • Implement security measure standards like access cards and personnel checks.
    • Secure employee workstations from unauthorized access.
    • Implement measures for the disposal of electronic devices.
    • Encrypt portable devices containing patient’s personal information.
  • Implement Technical Safeguards — Utilize the latest security technologies and transmission protocols to prevent unauthorized access.
    • Implement user identification for system access with strong authentication methods.
    • Establish regular audit log reviews and processes.
    • Ensure proper measures to ensure your data’s integrity.
    • Utilize industry encryption standards to protect your patient’s data.
  • Implement Organizational Requirements — Manage all of your organization’s partnerships, agreements, and obligations.
    • Identify your vendors and business associates.
    • Performed audits on your business associates to assess their HIPAA
    • Establish/Re-establish agreements with business associates handling patient information.
    • Maintain up-to-date documentation of security policies and procedures.
  • Create an Incident Response Plan — Setting up protocols in the case of patient information breaches.
    • Develop a clear breach response plan according to your new processes and assessments.
    • Ensure all employees understand the plan.
    • Conduct regular breach simulations to test your plan’s effectiveness.
    • Document the simulations and real incidents for further improvements.

Following this HIPAA audit checklist will ensure your organization is set up with the best means to protect patient information.

It’s recommended to regularly review and update your HIPAA compliance strategy to adhere to any new regulations and fix mistakes.

Types of HIPAA Violations that Can Cause an Early HIPAA Audit

As mentioned, HIPAA audits are a regular inspection of your ability to comply with HIPAA regulations, but certain violations can raise red flags and prompt regulatory bodies to conduct early audits on your organization.

The most common HIPAA violations that can cause a HIPAA audit are:

  • Unauthorized access to PHI — Discovering that an unauthorized person gained access to confidential patient information can alert authorities to conduct a thorough HIPAA audit due to further security risks.
  • Lack of patient authorization — Sharing patient information without obtaining proper authorization from the said patient can prompt the patient to file a complaint, which can cause an investigation.
  • Failure to notify patients of a breach — Failure to provide timely notifications to patients means you aren’t prepared for data breaching instances, which HIPAA mandates.
  • Improper disposal of PHI — An instance of someone finding a patient’s file improperly disposed of (not shredded) can prompt a full HIPAA audit.

These four concerns must be addressed in every healthcare facility to be fully HIPAA compliant.

Utilize our HIPAA audit checklist together with these types of violations to craft a compliance strategy that will prevent early HIPAA audits as well as regular audits.

How Email Archiving Helps You Comply with HIPAA

Most healthcare information, patient scheduling, and contracts with BAs get sent over email, so it’s one of the biggest threats to your HIPAA compliance.

To prevent an unnecessary HIPAA audit, your email communications need to be archived for optimal data security.

Even HIPAA itself requires you to archive your data for a minimum of 6 years, and email is a part of that requirement.

To make it as easy as possible for your HIPAA compliance, email archiving solutions have many features that help you stay secure.

These features include:

  • Automated information capture — Archiving systems monitor all of your communications channels and automatically store them on a cloud server without the need for manual work. This includes email content, subject lines, senders/recipients, the content of the message, attachments, calendar events, and all other email metadata.
  • Data security — Email archives are equipped with top encryption standards that ensure safety from potential breaches and unauthorized access, and keep your patient’s data safe.
  • Data preservation — You can set up data retention periods to meet HIPAA email retention requirements of 6 years.
  • Data integrity — A HIPAA audit requires you to prove your communications weren’t tampered with or deleted. Email archives allow you to store the original instance of an email in a WORM format, and come with message integrity verification features.
  • Access control — Your compliance officers can easily assign roles in your organization and give only the necessary permissions to each employee.
  • Audit trails and supervision — Email archiving solutions allow you to go through every action taken inside your archive helping you respond to HIPAA audit requests and improve your HIPAA compliance through analysis.

An email archiving system is crucial for your healthcare organization to be HIPAA compliant.

Related: What to Look For In an Email Archiving Solution


Staying HIPAA compliant is a long process only made harder by the number of points you need to think about.

It has many intricacies in it, but with our HIPAA audit checklist, your organization can be on its way to full compliance.

Pairing up the HIPAA audit checklist with an adequate email archiving solution and always going back to your processes is a sure way to never worry about HIPAA audits or compliance.

Solve all of your email archiving needs with Jatheon’s cloud email archiving solution built for businesses of all sizes. Stay compliant, speed up your ediscovery, and retain all of your business data in one easy-to-use solution.



How often do you have to audit HIPAA?

HIPAA requires covered entities to conduct their own internal HIPAA audits at least once a year with larger organizations being required to perform an audit twice a year or sometimes quarterly. The frequency can also be based on changes in operations, technology, or a significant incident.

Who can perform a HIPAA audit?

HIPAA audits are externally conducted by the Office for Civil Rights (OCR), a division of the Health and Human Services that enforces HIPAA rules. They can also be performed by specialized firms or internally by the designated compliance officer.

How much does a HIPAA audit cost?

HIPAA audit costs are covered by the Health and Human Services for the on-site audits, but covered entities and business associates aren’t covered. You can also conduct your own internal HIPAA audit which usually costs about $8000.

How long does it take to complete a HIPAA audit?

HIPAA audit length can vary depending on many factors, but it usually takes about a month to complete. When selected by the OCR, your organization has 10 business days to review and return written comments after which the auditor has 30 business days to respond to them.

About the Author
Bojana Krstic
Bojana Krstic is the Head of Content and SEO at Jatheon and an experienced writer on topics like data archiving, ediscovery, and compliance. When AFK, you’ll find her hiking, discovering new music, or road-tripping.

See how data archiving can simplify compliance and ediscovery for your organization

Book a short demo to see all the key features in action and get more information.

Get a Demo

Jatheon is a “Trail Blazer” in The Radicati Group’s 2024 Information Archiving MQ

Share via
Copy link
Powered by Social Snap