The Health Insurance Portability and Accountability Act (HIPAA) establishes the US federal standard for protecting sensitive patient health information. Originally enacted in 1996 and significantly expanded by the HITECH Act in 2009, HIPAA applies to covered entities — health plans, healthcare clearinghouses, and healthcare providers — and to their business associates. A HIPAA compliance audit provides an independent assessment of whether an organisation meets its obligations under the Privacy Rule, Security Rule, and Breach Notification Rule, and is an essential tool for managing OCR enforcement risk.
The Three HIPAA Rules
The Privacy Rule governs the use and disclosure of Protected Health Information (PHI). It gives patients rights over their health information, including the right to access records, request corrections, and receive an accounting of disclosures. It requires covered entities to implement privacy policies, train workforce members, and designate a Privacy Officer.
The Security Rule focuses specifically on electronic PHI (ePHI) and requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Unlike the Privacy Rule, the Security Rule is technology-neutral — it sets outcomes, not specific technologies.
The Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, following a breach of unsecured PHI. Notifications must occur without unreasonable delay and no later than 60 days after discovery of the breach.
Administrative, Physical, and Technical Safeguards
The Security Rule organises safeguards into three categories:
- Administrative safeguards (45 CFR §164.308): Risk analysis and risk management, security management process, workforce training, access management, contingency planning, and periodic evaluation. These are the foundation — without a documented risk analysis, all other safeguards lack a defensible basis.
- Physical safeguards (45 CFR §164.310): Facility access controls, workstation use policies, workstation security, and device and media controls. Auditors examine how physical access to systems containing ePHI is controlled and documented.
- Technical safeguards (45 CFR §164.312): Access controls, audit controls, integrity controls, and transmission security. Key controls include unique user identification, automatic logoff, encryption of ePHI at rest and in transit, and audit logging.
Covered Entities vs Business Associates
A covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information in electronic form in connection with a HIPAA-covered transaction. A business associate is any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity — including cloud service providers, billing companies, IT vendors, and consultants.
Business associates must sign a Business Associate Agreement (BAA) with covered entities and are directly liable for compliance with the Security Rule and certain Privacy Rule provisions. A HIPAA audit for a business associate focuses heavily on the security safeguards in place for ePHI and the adequacy of BAAs with any sub-contractors.
The HIPAA Audit Process
A HIPAA compliance audit typically follows these stages:
- Scope definition: Identifying all systems, locations, and personnel that create, receive, maintain, or transmit PHI/ePHI.
- Documentation review: Assessing policies, procedures, risk analysis, training records, BAAs, and incident logs against HIPAA requirements.
- Technical assessment: Evaluating technical controls — access management, encryption, audit logging, patch management — for adequacy.
- Interviews: Confirming that workforce members understand and follow privacy and security policies.
- Gap report: A prioritised list of nonconformities with remediation recommendations, distinguishing required from addressable implementation specifications.
Penalties for HIPAA violations range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category. The Office for Civil Rights (OCR) investigates complaints and conducts audits; proactive compliance substantially reduces enforcement risk.