HIPAA Questions? Call (415) 294-5250


If you were to have an external audit performed on your IT system would you be able to explain your system to the auditor? Do you know the topics the auditor will ask about? Don’t wait until an audit to find out. Read on to learn about the auditing process, and how best to prepare, so you can confidently explain your infrastructure and practices. Additionally, by understanding the auditing process, you can also review the plans and protocols that you have in place to determine if changes need to be made.


Audit Reason

One reason an audit might be performed would be to check for compliance with HIPAA standards. The financial industry also has compliance standards. Do you know what these standards are? Do you know what parts of your systems require compliance? First and foremost, you need to know what is required for compliance. Then you can review your systems to determine your current level.

Disaster Recovery Plan

Every business should have a disaster recovery plan in place. In the event something should happen, there needs to be a plan in place to get you back to business as usual. This will require brainstorming possible disasters and determining what the effects could be, from minor to worst case scenario, and what the recovery process will need to be. For HIPAA compliance, the disaster could be a breach of protected information. How far will the effects be felt, and how can you secure the data once again and prevent such a breach from happening? This involves not only your data but also includes every single person who has access to the data as well. Does everyone involved know their role in disaster recovery?

Credential Security

Every business should also have procedures and protocols in place to secure workers’ credentials. Do you have a system that allows for unauthorized access by individuals? Can you detect unauthorized use of credentials? You should be able to explain not only who has access to what, but also why they were granted the access permissions. An auditor will want to know if you are safeguarding company and client data from unauthorized access, and how you are doing this.


Plans and procedures should be documented in an easy to find format and place so that any authorized individual will be able to find the documentation. For an IT audit, your policies and procedures related to your network infrastructure will be assessed. The plans will include access permissions, preventative safety measures taken by staff to secure the integrity of the data, intrusion protocols, preventative measures to keep malware and viruses off the network and general maintenance of the system. The auditor will not only look at the procedures but will ask when the information was updated and will want to see a record of the plans actually put in place. For an audit, they want to see that you are following the procedures that you outlined for your business to keep your sensitive data secured.

If you review your policies and procedures and ensure the staff is knowledgeable as well, the auditing process will be easier. Know and understand your system, credential permissions, network security protocols and disaster recovery plan, along with understanding what needs to be in place to be in compliance with your regulatory body needs.

Would you like some help with this process?

Call {phone} or email us at {email} to discuss your regulatory compliance concerns. {company} is here to handle all of your information technology needs.