If not, you should be. Each year the Office for Civil Rights (OCR) audits hundreds of covered entities and business associates to ensure they are compliant with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The penalties for violations can range from basic corrective action to thousands of dollars in fines – or in extreme cases, criminal prosecution.

Rather than crossing your fingers and hoping that you aren't audited, you should take a proactive approach towards preparing your healthcare practice for the next round of HIPAA audits. Doing so will give you the peace of mind knowing that if you are audited, you'll pass with flying colors.

Conduct a Risk Assessment

One of the first steps in preparing for a HIPAA audit is to conduct a risk assessment. This involves the analyses of policies, procedures and systems for potential risks and vulnerabilities. Risk assessments are an essential component in maintaining a HIPAA-compliant healthcare practice, as they are intended to reveal problematic areas that could otherwise result in a violation.

If you think conducting a risk assessment is overly difficult or complicated, think again. The OCR has a free-to-use tool on its website that can be used for conducting a HIPPA risk assessment.

Security and Privacy Officer

Don't forget to assign someone as the Security Officer and Privacy Officer for your healthcare practice. Even if you are otherwise compliant with HIPAA, you must still have these two job roles filled. The Privacy Officer, as the name suggests, is responsible for ensuring compliance with the HIPAA Privacy Rule. They must train other workers on the nuances of the Privacy Rule, implementing the necessary policies to protect patient data from unauthorized use or disclosure. The Security Officer is responsible for ensuring compliance with the HIPAA Security Rule.

Note: a single worker can be assigned both roles.


Of course, you'll also need to implement the appropriate safeguards to remain compliant with HIPAA. This includes physical, technical and administrative safeguards. We've talked about this before on our blog, but physical safeguards consist of tangible measures to protect against unauthorized disclosure of Protected Health Information (PHI), while technical safeguards are digital measures like firewalls and viruses scanners, and administrative safeguards are policies and procedures.

These are just a few simple steps that you can take to better prepare for the next round of HIPAA audits.

Subscribe to our mailing list

* indicates required