Internal Audit Checklist for HIPAA

bizfluent article image

AndreyPopov/iStock/Getty Images

In 1996, the U.S. Congress passed the Health Insurance Portability and Accountability Act -- HIPAA -- to regulate how health care institutions disclose patients' medical information. The Department of Health and Human Services monitors how medical organizations comply with the law. Auditors use a checklist when testing companies' medical data recording processes.

Risk Analysis and Assessment

HIPAA requires that all medical organizations -- especially institutions involved in the collection, retention and transfer of medical information -- conduct periodic risk analysis and assessment sessions. An auditor reviewing HIPAA compliance ensures that all business units monitor risks that may cause a firm to incur losses due to data breaches. Risk analysis identifies corporate areas posing major operating threats for HIPAA security compliance. Risk assessment determines the extent of losses that an institution may suffer in case of insider or outsider attacks.

Gap Analysis

In HIPAA terminology, gap analysis refers to procedures necessary to map security requirements to a medical organization's existing security infrastructure. In other words, auditors analyze regulatory guidelines and compare them with corporate security systems, verifying whether these systems abide by the act. Gap analysis follows four steps: gap identification, determination of remediation activities, project prioritization and resource allocation. After identifying security weaknesses, auditors ensure that department heads have mitigating solutions in place. Then reviewers make sure segment chiefs allocate sufficient resources to mitigation projects.


Remediation is an important item on an audit checklist for HIPAA. Auditors rely on HHS directives to ensure that an organization has adequate resources in place to remedy potential security breaches. State-of-the-art technological tools are integral to remediation procedures. These tools include customer relationship management software, enterprise resource planning applications, process re-engineering software and defect-tracking software. Other tools used to remedy potential security threats include categorization or classification software, calendar and scheduling software, patient relations management programs and project management software.

Contingency Planning

Companies engage in contingency planning to ensure that corporate activities are not halted by an emergency, accident or other operating disruptions. To prevent the substantial losses that may come with operational standstills, firms draw contingency plans, also known as business continuity plans. HIPAA auditors check a medical organization's business continuity plans to ensure that the plans address important operating issues that may arise in emergencies. Specifically, auditors verify how companies could restore operations at an alternate site and recover operations using alternate equipment, should disaster strike.

Personnel Policies

HIPAA auditors sift through corporate human resources policies to ensure that personnel maintaining medical records possess technical knowledge and the appropriate skills for the job. These personnel include health record technicians, medical records and health information specialists, medical information clerks and coders, according to O*Net Online, the U.S. Department of Labor's occupational research branch.