HIPAA Audit, hipaa audit requirements

What Are HIPAA Audit Requirements?


May 4, 2021 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

Each year, behavioral health professionals are required to conduct six HIPAA audits. These audits assess your current HIPAA Privacy, Security, and Breach Notification practices against HIPAA standards. Telehealth.org’s also previously discussed 8 Common HIPAA Violations That Increase Legal Risk. More details are discussed on HIPAA audit requirements.

Which HIPAA Audit is Required from Behavioral Health Providers?

As covered entities under HIPAA, behavioral health providers are required to conduct six annual HIPAA audits.

The required HIPAA audits include:

  1. Privacy Standards
  2. Security Rule Standards
  3. Security IT Risk Assessment
  4. Physical Site
  5. Asset and Device
  6. HITECH Subtitle D

What Does Each HIPAA Audit Require?

Each HIPAA audit has requirements based on a specific component of the HIPAA regulations.

Privacy Rule Audits:

  • Privacy Standards. This audit requires behavioral health providers to implement policies and procedures to protect health information and train workforce members on these policies.

Security Rule Audits:

  • Security Rule Standards. This audit requires behavioral health providers to implement policies and procedures that comply with the Security Rule. It also requires organizations to review these each year or an operational or environmental change within the organization. Lastly, workforce members must receive security awareness training.
  • Security IT Risk Assessment. This HIPAA audit requires a security risk analysis to be conducted annually.
  • Physical Site. This audit requires behavioral health providers to implement policies and procedures to limit physical access to electronic devices and review and modify security measures as needed.
  • Asset and Device. This audit requires behavioral health providers to implement policies and procedures related to the security protection of electronic media and update security measures as needed.

Breach Notification Rules Audits:

  • HITECH Subtitle D. This HIPAA audit requires organizations to implement policies and procedures related to breach notification and require workforce training on these policies.

Physical Site Audits and Home Offices

Even as a telehealth provider working from a home office, a Physical Site audit is still required. This is because your home office likely contains some protected health information, and this information must be protected from unauthorized disclosure or access. Unauthorized disclosure or access to PHI is considered a breach under the HIPAA regulation and can occur from incidental access, such as by a family member or friend stumbling upon patient records.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance, with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...