During a HIPAA audit, the Office for Civil Rights (OCR) examines an organization’s compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), focusing on policies, procedures, and practices related to protecting patient information, including administrative, physical, and technical safeguards. The following is an overview of what the OCR looks for in a HIPAA audit:

• Policies and Procedures. Review of written policies related to HIPAA, including Privacy, Security, and Breach Notification Rules.

• Administrative Safeguards. Assessment of data access management, employee training on HIPAA, and security policy implementation.

• Physical Safeguards. Evaluation of physical security for protecting both electronic and paper health information.

• Technical Safeguards. Review of technologies used to protect electronic health information (ePHI), such as encryption and access controls.

• Training. Confirmation that staff are properly trained on HIPAA regulations and the organization’s policies.

• Breach Notification Procedures. Examination of processes for detecting, investigating, and reporting HIPAA breaches.

• Audit Trails. Checking if audit trails are maintained to monitor access to ePHI.

• Risk Analysis. Assessment to ensure a thorough risk analysis is done to find and reduce vulnerabilities.

• Compliance with Specific Requirements. The OCR may focus on specific requirements of the Privacy, Security, or Breach Notification Rules, or may examine a broader scope of requirements.

HIPAA violations can result in both civil and criminal penalties, including fines ranging from $141 to over $2 million, and even potential imprisonment for intentional violations. Avoid these excessive consequences of non-compliance: It all starts with your HIPAA policies and procedures, which will guide your practice in tackling the issues listed above to become (and stay) HIPAA compliant.