5 Elements of an Effective HIPAA Audit Program Infographic

This week is National Health IT Week (#NHITWeek), but I think it might be better to call it National Health IT Infographic week. I’m not complaining. I love a good infographic. For example, I posted the Rise of the Digital Patient Infographic and the Healthcare IT Leadership Infographic – A 25 Year History already this week. I figured I might as well round out the week and post an infographic on EMR and HIPAA as well. Coalfire sent me the following infographic looking at HIPAA audits. I don’t think most people realize the HIPAA audits that are coming. HIPAA audits have had a slow start, but I think the momentum is growing. If you’re an organization that ever touches healthcare data, you better be ready. Enjoy the HIPAA audit infographic below.
5 Elements of an Effective HIPAA Audit Program

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Quite frankly, if you are only concerned about ePHI, you are missing the boat.
    As much as we’d like to think that offices have gone “electronic” means they are paperless…they are not?

    I have yet to audit an office that is paperless…not one.

    Until paper is gone from an office, the focus needs to be securing PHI overall, not just “e”.

    Remember that box of paperwork found in Cali last year?

    Fines are the same whether the PHI is “e” or other.

  • I agree, and if we look at the NIST 800-53 version 4 guidance on risk analysis (the foundation for this five step process) it says to list “personally identifiable information” in the Privacy Family of controls. Not just EPHI. Then we link that back to 45 CFR 164.306(a)(3) where it requires that the security controls includes those measures that would support the prevention of Privacy Rule violations (that’s the Subpart E quote). So I agree, if the risk analysis does not include things beyond EPHI, like paper, it can’t possibly make the integration between privacy and security desired by the federal government.

Click here to post a comment