What Evidence Do You Need to Demonstrate HIPAA Compliance?

Businesses operating in the healthcare industry in the United States need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This federal law is designed to protect the privacy and security of patient health information. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Rules. 

Patient information is known as protected health information (PHI) and as electronic protected health information (ePHI) when processed digitally in a computerized system. A covered entity is the term used for the organization processing PHI or ePHI. 

Three main rules form the foundation of HIPAA guidelines.

  • The Privacy Rule regulates the use and disclosure of PHI by covered entities.
  • The Security Rule pertains explicitly to ePHI. It defines administrative, physical, and technical safeguards that need to be in place for an IT environment to comply with HIPAA.
  • The Breach Notification Rule defines how and when an organization must notify the HHS OCR and affected patients about a data breach involving PHI.


What is a HIPAA Audit?

A HIPAA audit is an activity initiated by the OCR to test a covered entity’s compliance with HIPAA rules. 

What Conditions Trigger a HIPAA Audit?

Organizations must be prepared to provide the necessary evidence demonstrating compliance with HIPAA regulations. There are three scenarios in which HIPAA compliance is tested in an audit or self-assessment.


Random audits

The OCR conducts random audits to determine the ability of covered entities to meet the standards outlined in HIPAA rules. Typically, large healthcare organizations are chosen for an audit. OCR sends out questionnaires to covered entities and business associates and selects audit participants based on the answers it receives. Failure to respond to the questionnaire is not recommended as it may make it more likely that a given organization is chosen for a random audit. If selected for an audit, a company has ten days to reply to the OCR.


Audits due to violations 

An OCR audit can also be triggered by a complaint of a violation made by a patient, employee, or whistleblower. In these cases, an organization will have to demonstrate that they have taken the appropriate steps to address the violation as well as comply with the other HIPAA regulations. 

Violations that commonly trigger HIPAA audits include:

  • Unauthorized access or disclosure of PHI or ePHI;
  • Insufficient implementation of the security measures defined in the HIPAA Security Rule;
  • Improper disposal of PHI or ePHI;
  • Failure to notify patients of a data breach.


Annual self-assessments

HIPAA requires annual internal audits or self-assessments. Organizations need to take these assessments seriously as they provide an opportunity to verify HIPAA compliance and identify gaps that must be addressed. Self-assessments can be carried out by internal teams or third-party auditors.

Effective internal audits put an organization in a great position to handle an OCR-initiated audit. Security vulnerabilities can be addressed before threat actors exploit them. All procedures that are associated with the processing of PHI should be reviewed to ensure there are no risks to patient data.


Preparing for a HIPAA Audit

The best time to prepare for a HIPAA audit is before your company is required to participate in one. Performing objective self-assessments are essential for maintaining compliance that will satisfy an OCR audit. The following measures are considered best practices for organizations preparing for a HIPAA audit. Preparation should be addressed before an OCR audit is announced and all activities must be fully documented to use as evidence of compliance. 

  • Designate a security and privacy officer – This individual will be responsible for ensuring the security and privacy of PHI. They will interact with the OCR in the event of an audit. The officer should regularly review security policies and perform risk assessments. Data breaches involving PHI need to be documented by the security and privacy officer.


  • Address organizational risks – HIPAA requires companies to have a risk management plan and perform a risk analysis. During the risk assessment, security plans and procedures should be documented and stored where they can be easily accessed. Examples of necessary security documentation include guidance on incident response, physical security, firewalls, and breach notification. 


  • Assess physical security systems – HIPAA data stored in physical locations must be secured behind managed access control systems, with access points monitored by active video security cameras. Businesses are expected to maintain appropriate technical and physical safeguards to prevent the disclosure of PHI, meaning physical security devices must be frequently reviewed, updated and assessed to ensure systems remain free from exploitable vulnerabilities.


  • Provide employee training – Employee training is an essential HIPAA requirement. Organizations must be able to present documentation that they are performing the necessary training to provide employees with an understanding of what constitutes HIPAA compliance. The OCR will require proof of employee training during an audit.


  • Review policy implementation – Companies need to ensure that the policies defined in the risk management plan are effectively implemented. During an audit, OCR will want evidence that all policies and procedures are reflected consistently in standard business operations.


  • Conduct an internal audit – The most effective way to ensure HIPAA compliance is by conducting an internal audit. In large companies, a dedicated audit team often performs the audit. Smaller companies can engage a third party to perform the audit. The point is to replicate an OCR audit as closely as possible so that all data security and privacy gaps affecting ePHI can be addressed.


  • Develop a remediation plan – After internal audits are performed, any risks and findings need to be remediated. HIPAA requires annual self-assessments to ensure that compliance is maintained despite changes to the IT environment or business operations. 


HIPAA Audit Logs

HIPAA audit logs are one of the primary artifacts used to demonstrate regulatory compliance. Audit logs must be maintained for all systems that store or process ePHI. The logs must be made available to OCR and internal auditors to verify the required security and privacy measures are being implemented. HIPAA compliance is critical, and understanding what is log monitoring can offer deeper insights into safeguarding patient data effectively.

Multiple types of audit logs are required to provide audit trails for various kinds of activity on each covered system.

  • System audit logs track events such as reboots, crashes, resource access requests, authorization, and authentication. 


  • Application audit logs monitor user activity when using applications involving ePHI. They track items such as file creation, access attempts, and deletion.


  • User audit logs concentrate on user activity related to ePHI as well as system commands executed by a specific user.

HIPAA audit logs are important for other reasons in addition to demonstrating compliance. Audit logs can be invaluable in the wake of a data breach to help organizations understand what happened. The logs can also be instrumental in providing information essential for efficient disaster recovery.


Additional Documentation 

Additional documentation may be necessary to demonstrate compliance. The specific information requested by auditors will vary depending on the type of system or business process under review. As an example, the evidence required to be provided regarding a company’s backup and recovery procedures includes:

  • Proof that disaster recovery procedures are in place for all systems related to ePHI;
  • Documentation of backup schedules and logs of completed backups;
  • Documentation of retention policies that demonstrate compliance with HIPAA standards for ePHI;
  • Verification that only authorized individuals can make changes to policies and schedules;
  • Proof that default passwords have been changed and that there are no non-expiring passwords on accounts with elevated privileges.

Similar documentation will need to be provided by all departments that are involved in processing ePHI.


What Happens if You Cannot Demonstrate Compliance?

Failing an internal risk assessment provides organizations with the opportunity to update the policies, processes, and procedures designed to achieve HIPAA compliance. Failure in an OCR audit can result in substantial fines based on the severity of the violation. Companies that need to comply with HIPAA should take the proactive steps necessary to ensure they can pass an OCR audit.