Building Your Internal Audit Checklist for HIPAA

HIPAA Knowledge Hub

HIPAA Tracking

Learn how you can safeguard private data with our HIPAA compliance best practices

When it comes to HIPAA, every good risk manager knows that you must ensure your company is actually following applicable laws to earn HIPAA compliance certification. But how do you show or measure that?

An internal audit checklist can help you cover the bases needed to show HIPAA compliance. The internal audit checklist is designed to help you review your policies and procedures for patient privacy.

For example, are employees only allowed to access data when necessary? Do your team members know how to report a HIPAA violation?

And of course, the biggie: you must keep patient information confidential and secure. There are plenty of practices a company needs to implement in order to ensure this, like requiring employees to sign a confidentiality agreement. (It ensures they understand what information they can and cannot share with others.)

But how do you start working toward HIPAA compliance? How do you know if you’re in violation? And what can you do about it? This is where an audit can be extremely helpful.

Keep reading to learn more about HIPAA violations — and be sure to check out the other articles in our HIPAA Knowledge Hub at the bottom of this one.

What is a HIPAA Violation?

Even with laws and published guidelines, a hospital or other healthcare provider violates HIPAA regulations nearly every day. In light of this frequency, it’s critical that your team understands HIPAA violations or breaches and what happens when they occur.

The government introduced HIPAA regulations in 1996 to simplify healthcare administration. The regulations also aimed to eliminate waste and prevent fraud.

Since then, there have been several notable HIPAA updates to improve patient privacy and protection. Over time, HIPAA requirements have evolved to keep up with changing technology and emerging threats so that patient data remains safe and secure. Learn more about navigating the world of HIPAA with the rest of our HIPAA Knowledge Hub series of articles below:

HIPAA Knowledge Hub  HIPAA Tracking

More often than not, there are only a handful of regulations that organizations fail to comply with regularly. The most common HIPAA violations include:

  • unacceptable disclosure of protected patient information
  • improper disposal of patient health records

As the healthcare landscape evolves with things like EMR and telemedicine, HIPAA must reflect these new points of vulnerability. And this can prove challenging for the average business to stay up-to-date with changes in HIPAA laws. Nevertheless, if your organization fails to comply with HIPAA standards, you’re in violation of its regulations and could be subject to the fines we summarized in the related article, “What Do I Need to Do to Be HIPAA Compliant?”.

HIPAA compliance certification can ensure that your organization or practice stays on the right side of the law.

What is HIPAA Compliance Certification?

Since there is no set standard for HIPAA compliance certification, it can be challenging to outline the exact standards that your business needs to meet for compliance.

To offset nebulous interpretation, there are many organizations that provide HIPAA certification services. HIPAA compliance certification means that your organization has passed a HIPAA compliance program. This kind of certification is the next best alternative to true compliance standards.

Achieving compliance and staying compliant are two different things. HIPAA compliance is an ongoing process. Your organization might very well pass a provider’s initial certification program, but that’s no guarantee you’ll remain in compliance. (The department of Health and Human Services does not endorse HIPAA certification for this reason.)

So fair warning: as part of the certification process, your company will need to implement mechanisms to maintain HIPAA compliance.

If you want to earn HIPAA certification, you can prepare with these steps.


Understand what the HIPAA regulations mean. Someone in your department needs to fully read the guidelines and understand the implications to your business.


Hire an auditor who understands HIPAA regulations to help guide and identify issues that need policy revisions.


Revise policies or procedures so they comply with HIPAA regulations.


Plan to provide employee training to comply with HIPAA regulations. Currently, HHS does not endorse or suggest a specific training program.

How to Report a HIPAA Violation

In addition to protecting patient information, healthcare providers should know how to report a HIPAA violation.

Let’s say you have reason to believe that your organization or business partner violated a patient’s HIPAA rights. The HSS encourages witnesses to file a complaint with the Office for Civil Rights (OCR).

The OCR will investigate any complaints against the covered entity. They process complaints as fast as possible, even with a limited staff, and recommend that you use its online portal for reporting HIPAA violations. Complaints submitted by mail take longer to process.

Read more

Keep information safe.

Learn the NIST Risk Management Framework
Read more

The OCR will review the information that you submit carefully to determine if a covered entity or business associate has violated someone’s HIPAA rights. Also to note: you must file a complaint within 180 days of the violation.

If your complaint meets the criteria, the OCR will investigate the incident. The OCR may find that the covered entity or business associate did not comply with HIPAA requirements. If so, they’ll request that the offending parties voluntarily take corrective action.  

After completing the investigation, they’ll issue a letter describing a resolution for the incident. They’ll also ask for the parties to agree to a settlement for the oversight.

In rare cases, an offending party may not voluntarily agree to OCR recommendations. If that’s the case, the office may levy fines against the organization.

What Goes Into an Internal Audit Checklist?

When it comes to HIPAA compliance, your organization must cover a lot of bases, which makes an internal audit checklist really helpful.

An internal audit checklist is a vital tool for organizations that are subject to HIPAA requirements. 

This checklist will help ensure that your organization remains in compliance with HIPAA regulations. In turn, you’ll avoid hefty OCR fines. To keep up with changing HIPAA guidelines, you’ll want to update your checklist and review it regularly.

An internal audit is comprehensive, however, the following checklist focuses on the three areas of governance recommended by HHS, each with their own trio of checklist items.

Administrative Safeguards

HHS administrative safeguards tie together the management of privacy and security recommendations. These two areas are the key elements of HIPAA compliance.

The OCR reports that a security assessment of risk is often overlooked by healthcare organizations. In the event of an audit, the office will check your security risk assessment policies and procedures.

There are a few things that you want to include on your administrative safeguards checklist. These items include:

  • Conduct ongoing risk assessments

  • Update risk management policies

  • Train employees in data security

Conducting risk assessments is good, but the OCR wants to know that you are doing more than assessing; they want to know that your processes are ongoing.

Physical Safeguards

Physical safeguards encompass access to patient information. The safeguards cover physical access to records, regardless of location.

For instance, your organization may store patient information in a remote data center. Alternatively, you may keep information stored in an on-site server.

Physical safeguards also focus on workstations and employee mobile devices. Your HIPAA compliance checklist items will include:

  • Mobile device policies and procedures

  • Policies for the positioning and use of workstations

  • Implementation of facility access controls

In addition, you should maintain an inventory of all company hardware and its movement.

Technical Safeguards

When most people think of HIPAA compliance, they likely think of technical safeguards. Technical safeguards are the measures used to protect patients’ digital information. HIPAA compliance checklist items for this category include:

  • A mechanism for authenticating patient data

  • Encryption and decryption tools

  • Implementation of access controls

In this regard, there’s only one, clear HIPAA regulation: Providers must encrypt patient data, whether at rest or in transit.

Organizations should use NIST standards to protect patient information. This standard is vital for transmitting data behind your organization’s internal firewalls. If a cyber breach occurs, it will prevent malicious actors from accessing the data.

Making the Most of the Checklist

Your checklist will serve as part of your internal audit process. Don’t hesitate to also reference International Standards for the Professional Practice of Internal Auditing. There are many points to guide you in your assessment.

To complete assessments successfully, your audit staff really needs an intimate understanding of your organization’s functions & processes. They also need to see how the assessments are meant to provide value. It’s not about finding faults; it’s about finding ways to improve.

As a result, your compliance managers should think of the auditing process as a two-way conversation. It’s not a set of directives or mandates that they’ll issue.

Read more

Go beyond spreadsheets

Take the “audit once, report many” approach to assessments and testing.
Read more

The internal audit checklist is a great place to start for an audit team. However, your team—no matter its size—will eventually need an effective way to track internal processes for compliance with HIPAA regulations.

Many organizations turn to spreadsheets for this task but soon find that this basic tool isn’t quite up for the job. Siloed information on hard drives or servers, email redundancy and lost communications soon add up.

Modern audit teams opt for compliance management software, like Onspring, to automate workflows, approvals and reporting. For example, Onspring’s compliance solution gives your organization immediate access to a centralized, digital control library, which also categorizes and maps those controls to HIPAA regulations.

Compliance teams choose to automate because it’s simply more efficient. You can track changes, set control testing and send email alerts all in one flexible, no-code platform.

See for yourself schedule a personalized demo.

Let's demo

When you’re ready, we’re ready.

See what Onspring can do for your HIPAA certification plans.
Let's demo