Complying with the Health Insurance Portability and Accountability Act (HIPAA) isn't optional for healthcare providers; it's a necessity. Violating just one of its specifications could result in expensive fines and other corrective actions handed down by the Office for Civil Rights (OCR). So, here's a short list of five essential things to check when performing an internal HIPAA audit of your healthcare practice.


HIPAA requires that all covered entities implement a combination of technical, physical and administrative safeguards to prevent the unauthorized access or disclosure of Electronic Protected Health Information (EPHI). Technical safeguards consist of things like firewalls and encryption, while physical safeguards are protective measures you can feel and touch (e.g. security cameras), and administrative safeguards are policies and procedures.

Business Associates Agreements

You should also check to make sure you have the necessary Business Associates Agreements (BAAs) in place. Whenever a covered entity conducts business with a third party – and that third party has access to PHI – a BAA must be used. Failure to create and maintain BAAs is one of the most common causes of HIPAA violations, so don't make this mistake with your healthcare practice.

Workforce Training

Even if you're familiar with the nuances of HIPAA and its respective rules, perhaps your employees are not. As such, it's important for covered entities to have a workforce training and management program in place to educate employees on HIPAA compliance. This also includes designating a workforce member as the Security Officer, and another member as the Privacy Officer.

Disaster Recovery Plan

Does your healthcare practice have a disaster recovery plan in place? If not, you should create one. HIPAA requires all covered entities to have a plan for recovering EPHI in the event of a breach, data loss or other unforeseen disaster.

Unique User Identification

Each member of your workforce should be given a unique user ID. And whenever a workforce member accesses EPHI, he or she should use this ID. Doing so allows covered entities to keep track of who access EPHI and when.

Disposal of PHI

You should think twice before tossing a patient's medical records in the trash. Covered entities must dispose of PHI in a manner that renders it inaccessible – and simply throwing it away in the trash does not meet this requirement. Burning, pulverizing and/or shredding, on the other hand, is an effective and HIPAA-compliant way to dispose of PHI.

Subscribe to our mailing list

* indicates required