HIPAA Questions? Call (415) 294-5250


Almost undoubtedly, your organization will be selected for a Health Insurance Portability and Accountability Act audit at some point in the future. This audit may take place a few weeks from now or even a few years from now. Unfortunately, it is hard to know or predict exactly when your organization will be subjected to a HIPAA audit. Therefore, it is in your best interest to ensure your organization is HIPAA-compliant now so that you’re ready when the time finally comes. Passing the HIPAA audit will enable you to avoid fees and to accumulate federal incentives.


If you’re not sure whether your organization will be able to pass its next HIPAA audit, here is some information and a few tips that will help you change this fact for the better.

1. Do a Self-Audit

One way you can determine whether your organization is ready to pass its next HIPAA audit is by doing a self-audit. This self-audit will help you pinpoint the areas of HIPAA compliance in which your organization is lacking, as well as the areas of HIPAA compliance in which your organization is doing very well.

Of course, you can have an internal team conduct the in-house audit. However, if you have the money, it is much better to have a third party conduct the in-house audit. This is especially true if your organization has never undergone a HIPAA audit before. An outsider won’t overlook or sugarcoat things due to bias or the desire to tread lightly. Also, you can expect a third party to send in people who specialize in the field of HIPAA compliance. Therefore, they will know exactly what to do and what to look for as soon as they arrive on-site.

Ideally, you should conduct self-audits for your organization regularly. That way, your organization will have the opportunity to become compliant or to fix certain issues brought up in previous self-audits.

2. Encrypt Everything

In order to ensure your organization will pass your next HIPAA audit, you should ensure that all sensitive information held by your organization is encrypted. Many organizations realize that encryption is necessary for all sensitive data that is kept on servers. However, very few organizations think to give the same level of care to sensitive information stored on other platforms, such as desktops, laptops, mobile storage media (such as flash drives and floppy disks), and mobile devices.

Chances are you have seen reports online or in the news of plenty of incidents where organizations have had devices lost or stolen. These organizations were cited because the devices possessed sensitive information that was stored in plain text rather than encrypted. As you can imagine, such an incident can put the safety of patients in serious jeopardy.

Not only should you have policies in place that make the encryption of all sensitive information necessary, but you should ensure that all your employees have the knowledge and skills necessary to properly use this technology. The best way to do this is by holding workshops for all your employees. You want the training to be effective. Don’t make the mistake of holding a one-hour long lecture for your employees.

3. Protect Your Computers and Laptops

In the name of more advanced security efforts, many organizations forget to attend to basic security efforts. For example, some organizations remember to encrypt all sensitive data, but fail to protect their computers and laptops. If you fail to install quality antivirus protection to all the computers and mobile devices used in your organization, this could make your systems susceptible to viruses and malware. Therefore, installing antivirus software on all technology and keeping this software up to date should be a huge priority for you.

You also want to train your employees to help keep the devices in your organization safe from threats. For example, your employees should know how to identify malicious emails in links. They should also know not to click on links in emails sent from unknown users. Believe it or not, it is truly the little things that count the most sometimes.

4. Don’t Just Focus on Technology

During your HIPAA audit, you need to be able to show that your security measures and precautions are not just technology-based. While technology certainly poses a huge security threat for many organizations, this does not mean you should neglect your paper records. All paper records with sensitive information should be locked away securely and properly. Also, only a limited number of people should be able to access these records.

You should not have paper records that are long past the mandated storage date. Once you store these paper records digitally (don’t forget encryption), you should have these paper records destroyed. So that you have proof your organization is HIPAA-compliant, it is ideal to have each step of the process documented in detail.

5. Use Strong Passwords on All Devices

In order to prevent access to devices by unauthorized individuals, you should have strong passwords in place for all devices in your organization. Not only will strong passwords prevent unauthorized individuals within or outside of your organization from accessing sensitive information, but it will also prevent hackers from infiltrating the devices through the use of viruses and malware.

As you can see, there are many things you can do to ensure your organization will pass its next HIPAA audit. According to the Department of Health and Human Services, 70 percent of the market is not HIPAA-compliant. While this statistic is shocking, in no way does it mean your organization has to be a part of that 70 percent. With time, you will likely realize that being HIPAA-compliant is not as difficult as it may sound. As long as you follow the tips discussed above, your organization will likely get to enjoy federal incentives. Best of all, your patients will be safe from any threats to their personal well-being.