What Are HIPAA Self Audit Requirements?

What does HIPAA compliance have in common with a building, a movie script, or applying makeup? A bad foundation often leads to disaster. If you overlook the foundational elements, you’re likely to fail.

Where HIPAA is concerned, failure leads to sizable fines. The most foundational, baseline requirement of HIPAA as the government defines it, is the annual Security Risk Analysis (SRA). Many people think it’s only one thing they have to do, but in reality, there are six required audits to complete your HIPAA SRA. Understanding what HIPAA self audit requirements are is critical to completing and maintaining compliance.

HIPAA Self Audit Requirements – IT Risk Assessment Audit

Before starting with the audits, let’s remember what the ultimate goal of compliance is. The overwhelming majority of HIPAA’s regulations are focused on protected health information (PHI). 

Everything that healthcare practices (covered entity, CE) or their vendors (business associate, BA) do with PHI or electronically stored PHI (ePHI) matters – whether it’s the collection, use, storage, transmission, or destruction. Keep that in mind as you go forward.

The IT Risk Assessment Self Audit specifically requires a security risk analysis (SRA) to be performed annually or as needed, depending on the circumstances of the organization’s environment.

Best practices call for SRAs to be done on an annual basis. Many organizations like to schedule them as part of their regular year-end business activities. If there is substantive change during the year that impacts your IT risk, it would also make sense to conduct another SRA to identify and mitigate any new threats.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

HIPAA Self Audit Requirements – Asset and Device

The Asset and Device Self Audit requires a business to implement policies and procedures to govern the receipt and removal of hardware and electronic media containing ePHI into and out of a facility, and the movement of these items within the facility.

All devices where ePHI is stored must be logged on an inventory, along with where they are in the facility or who they are assigned to if working remotely. If devices are replaced, the inventory must be updated to reflect the changes made.

If physical copies of PHI are generated, the location where they are stored must be documented as well, and access controls need to be established. Finally, the security measures of the site must be reviewed and modified as needed to ensure PHI and ePHI remains protected.

HIPAA Self Audit Requirements – Physical Site

The Physical Site Audit requires organizations to implement policies and procedures to limit physical access to PHI and ePHI at the facility where they are housed while ensuring that properly authorized access is allowed. 

The site audit must be conducted at each location where PHI or ePHI is located or accessed including satellite offices, and locations where remote workers may be accessing PHI. In this case, the regulations expect adequate physical security measures to be in place (such as locked doors and alarm systems). 

Any security measures implemented under the Security Rule must also be reviewed and modified as needed with proper documentation.

HIPAA Self Audit Requirements –  Security Rule Standards

The Security Rule requires CEs and BAs to implement reasonable and appropriate policies and procedures to comply with the Security Rule. It also requires periodic review and updates to the policies and procedures in response to any changes which would affect the security of PHI or ePHI.

Finally, it demands that organizations implement and maintain security awareness and training programs for all workforce members. If situations require the organization to modify the awareness and training program, that must be done as well.

HIPAA Self Audit Requirements – Privacy Standards

The Privacy Standards Audit requires covered entities to implement policies and procedures with respect to PHI and ePHI. These policies and procedures must comply with the Privacy Rule and the Breach Notification Rule.

Organizations must also train their workforce on their Privacy Rule and Breach Notification Rule policies and procedures. The training should be periodic and must include new employees within a reasonable period of time following their hiring and all employees if a material change in policies and procedures is required by the Privacy Rule or the Breach Notification Rule.

Annual training for all employees is considered a best practice. In most cases, business associates are exempted from this audit.

HIPAA Self Audit Requirements – HITECH Subtitle D

The HITECH Subtitle D Self Audit was not originally a requirement of HIPAA but was added in 2009. This audit defines what constitutes a breach. 

It also mandates the breach notification requirements to individuals, the media, and the Secretary of the Department of Health and Human Services (HHS). Finally, it requires employee training on the Breach Notification Rule.

HIPAA Self Audit Requirements – Show Your Work

Conducting the required self-audits is a great first step toward achieving HIPAA compliance. As you work through the process, remember to document your efforts in a manner that is consistent with the HIPAA regulations and easy to access in the event of an investigation by HHS’s Office for Civil Rights (OCR).

Much like an algebra teacher, OCR insists that you be able to show your work. If you haven’t shown it, you’ve blown it. Compliancy Group pairs an effective web-based HIPAA compliance application with dedicated coaches to guide organizations to complete compliance. Since our company opened for business in 2005, we’ve never had a client fail a HIPAA audit or be fined when they follow our compliance playbook.

See How It Works