AHIMA Issues Updated HIPAA Compliance Audit Toolkit

by | Mar 6, 2017

With Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits now well underway, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit.

Late last year, covered bodies were selected for desk audits and the initial round of audits have now been finished. Now OCR has moved on to auditing business associates of covered bodies.

At HIMSS17, OCR’s Deven McGraw outlined that the full compliance audits, which were scheduled in for Q1, 2017, are to be delayed. This gives covered entities more time to get ready.

The phase 2 HIPAA compliance desk audits were more completed with much more detail than the first phase of audits carried in 2011/2012. The desk audits covered a broad variety of requirements of the HIPAA Privacy, Security, and Breach Notification Rules. However, they only consisted of a documentation check to demonstrate that bodies were in compliance.

The onsite audits will be much deeper in nature and will look much thoroughly into organizations’ compliance programs. Along with being required to show auditors documentation demonstrating compliance with HIPAA Rules covered entities will need to display evidence of HIPAA in action to the OCR.

In order to assist with preparing for the audit process, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit. This audit readiness toolkit can be used by covered entities to assess their compliance efforts and deduce whether they have all the the required documentation, policies, and procedures in place to meet all Health Insurance Portability and Accountability Act standards.

The new toolkit describes the legal process of the HIPAA compliance audit program, OCR processes, and now incorporates the new HIPAA audit protocol utilised by OCR in the second phase of the compliance audits.

The new toolkit includes HIPAA compliance checklists covering policies, procedures, and documentation that is likely to be sought by Office for Civil Rights auditors, along with a master policy template for the privacy and security rule compliance program.

AHIMA has also included advice and best practices that can be put in place by HIPAA-covered entities and their business associates to help them adhere to all of their responsibilities along with an HIPAA audit preparation guide.

AHIMA members can obtain the HIPAA audit readiness toolkit free of charge in the HIM Body of Knowledge section of the AHIMA website or through its onlin store.

The onsite audits may have be behind schedule, but covered entities should make sure they are ready for an audit. Should the audits slip into 2018 as hinted by McGraw, OCR still looks into all breaches of more than 500 records. In the event of a data breach, OCR will seek evidence of compliance with HIPAA Rules and heavy fines await organizations found not to have adhered with the HIPAA Privacy, Security and Breach Notification Rules.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy