What Are HIPAA Self Audit Requirements?

What does HIPAA compliance have in common with a building, a movie script, or applying makeup? A bad foundation often leads to disaster. If you overlook the foundational elements, you’re likely to fail.

HIPAA Self Audit Requirements

Where HIPAA is concerned, failure leads to sizable fines. The most foundational, baseline requirement of HIPAA as the government defines it, is the annual Security Risk Analysis (SRA). Many people think it’s only one thing they have to do, but in reality, there are six required audits to complete your HIPAA SRA. Understanding what HIPAA self audit requirements are is critical to completing and maintaining compliance.

HIPAA Self Audit Requirements – IT Risk Assessment Audit

Before starting with the audits, let’s remember what the ultimate goal of compliance is. The overwhelming majority of HIPAA’s regulations are focused on protected health information (PHI). 

Everything that healthcare practices (covered entity, CE) or their vendors (business associate, BA) do with PHI or electronically stored PHI (ePHI) matters – whether it’s the collection, use, storage, transmission, or destruction. Keep that in mind as you go forward.

The IT Risk Assessment Self Audit specifically requires a security risk analysis (SRA) to be performed annually or as needed, depending on the circumstances of the organization’s environment.

Best practices call for SRAs to be done on an annual basis. Many organizations like to schedule them as part of their regular year-end business activities. If there is substantive change during the year that impacts your IT risk, it would also make sense to conduct another SRA to identify and mitigate any new threats.

Let’s Simplify Compliance

Do you need help completing HIPAA-required audits? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

HIPAA Self Audit Requirements – Asset and Device

The Asset and Device Self Audit requires a business to implement policies and procedures to govern the receipt and removal of hardware and electronic media containing ePHI into and out of a facility, and the movement of these items within the facility.

All devices where ePHI is stored must be logged on an inventory, along with where they are in the facility or who they are assigned to if working remotely. If devices are replaced, the inventory must be updated to reflect the changes made.

If physical copies of PHI are generated, the location where they are stored must be documented as well, and access controls need to be established. Finally, the security measures of the site must be reviewed and modified as needed to ensure PHI and ePHI remains protected.

HIPAA Self Audit Requirements – Physical Site

The Physical Site Audit requires organizations to implement policies and procedures to limit physical access to PHI and ePHI at the facility where they are housed while ensuring that properly authorized access is allowed. 

The site audit must be conducted at each location where PHI or ePHI is located or accessed including satellite offices, and locations where remote workers may be accessing PHI. In this case, the regulations expect adequate physical security measures to be in place (such as locked doors and alarm systems). 

Any security measures implemented under the Security Rule must also be reviewed and modified as needed with proper documentation.

HIPAA Self Audit Requirements –  Security Rule Standards

The Security Rule requires CEs and BAs to implement reasonable and appropriate policies and procedures to comply with the Security Rule. It also requires periodic review and updates to the policies and procedures in response to any changes which would affect the security of PHI or ePHI.

Finally, it demands that organizations implement and maintain security awareness and training programs for all workforce members. If situations require the organization to modify the awareness and training program, that must be done as well.

HIPAA Self Audit Requirements – Privacy Standard