HIPAA Security Rule has clearly established necessary requirements for Risk Management implementation specifications and standard for Audit controls and Evaluation:

Risk Management Implementation Specification

This involves the implementation of necessary safeguards to ensure risks and weaknesses are at an appropriate level.

HIPAA Audit Controls Standard

This ensures the establishment of various software, hardware, and procedural mechanisms necessary to assess and analyze information system activities using EPHI.

Evaluation Standard

This demands an entity to conduct periodical technical and non-technical evaluations and document its security policy to demonstrate compliance with HIPAA Security Rule requirements.

Most organizations are required by the Risk Management Standard to regularly, select, identify and implement various controls, safeguarding measures and make necessary verifications and reports to make sure the risk levels have a manageable cost.

This should be a standard procedure for all organizations to ensure that all the risks and vulnerabilities of an organization are at an acceptable level through the standard analysis of EPHI weaknesses and the establishment of various acceptable security measures.

All covered entities are required to run various evaluation processes on their security safeguards through documentation which should demonstrate their adherence to the HIPAA Security Rule and its compliance requirements.

Objective of HIPAA Audit and Evaluation for Compliance

Some of the main objectives of the HIPAA Audit include the following activities:

1. Making sure all risks and threats have been addressed
2. Make relevant verification that will ensure all the compliance requirements are met.


Item HIPAA Citation HIPAA Security Rule Standard Implementation Specification Implementation
164.308(a)(1)(i) Security Management Process
164.308(a)(1)(ii)(B) Risk Management Required
164.308(a)(8) Evaluation Required
164.312(b) Audit Controls Required


Risk Management

The main aim of risk management is to ensure that relevant security measures are put in place that will ensure risk levels are at a manageable level.

According to NIST, the risk is a negative impact that is as a result of the occurrence of a vulnerability which should also translate to the impact of the occurrence and its possibility. In other words, the risk is the possibility of the threat sources practicing particular risks that eventually have an adverse effect on the organization. Therefore, risk management is the process of identifying, assessing, and evaluating risk and using appropriate measures that will ensure that the risks are at an acceptable level.

On the other hand, security professionals define risk management as the process of choosing, implementing, and identifying safeguarding measures, controls and making necessary reports and evaluations to make sure risk levels are at a manageable level.

HIPAA Audit Controls

The main aim of the Audit control standard is to ensure the implementation of software, hardware, and other procedural mechanisms that will evaluate and record activities in the information systems handling EPHI.

Most of the time, organizations are required to review some of their implemented mechanisms to analyze any suspicious activities on their data. Otherwise, the auditing mechanisms should be so efficient that they cannot only trace the “threatening” device but also the user. According to the security policy, such individuals should be held accountable for their actions whereby there are policies that should lead to the procedures used to make reports on such discrepancies and audit alarms.

The HIPAA Audit controls are applicable to any network, organization, system, and other technical processes. On the other hand, a covered entity is entitled to specify how long the investigating organization should have the audit log data. However, this period should be long enough to ensure all investigations on possibilities of unauthorized access have been verified.

On the other hand, in the meanwhile, the organization with the audit log data should establish who can access the audit data, provide secure storage and protect the data especially Electronic Health Protected Information. It is also important to note that audit trails can be used as evidence during legal proceedings and so they should be protected throughout to retain their authenticity and integrity especially in the case of such events.


The main aim of the evaluation standard is to conduct regular technical and non-technical evaluations with respect to the implementation specification of this rule. In addition, the evaluation standard is normally based on an organization’s security efforts to ensure that they remain sensitive to operational and environmental changes that may affect EPHI. Otherwise, such evaluations should be able to assess and determine an entity’s compliance with this rule.

Periodic evaluations and their documentation should be a key indicator of an organization’s efforts to be HIPAA Security Compliant. Covered entities are also required to conduct periodic evaluations of their security policies to determine if they are still sensitive to the current changes in their security environment. The evaluations may be done internally or by an external accrediting company whereby external sources act as business associates. The evaluations are done on both technical and non-technical security components.

Otherwise, strong auditing policies are crucial to an organization’s security strategy since it ensures that an entity’s EPHI and other vital information remain private, their integrity is maintained, and only available to authorized personnel or sources.

View HIPAA Security Policies and Procedures

Let us help you in completing your HIPAA compliance with an audit.

Please contact us for more information at Bob@supremusgroup.com or call (515) 865-4591