HIPAA Audit Preparation Checklist for Long-Term Care Facilities

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

HIPAA Audit Preparation Checklist for Long-Term Care Facilities

Kevin Henry

HIPAA

October 10, 2025

6 minutes read
Share this article
HIPAA Audit Preparation Checklist for Long-Term Care Facilities

A successful HIPAA audit begins with clear structure, proof of daily compliance, and evidence that you continually reduce risk. Use this HIPAA audit preparation checklist to organize your long-term care facility’s ePHI risk analysis, safeguards, documentation, and response capabilities.

Conduct Comprehensive Risk Assessments

Map where ePHI lives and moves

  • Inventory all systems that create, receive, maintain, or transmit ePHI: EHR/eMAR, pharmacy interfaces, nurse call, lab portals, telehealth, eFax, email, backups, and mobile devices.
  • Diagram data flows across units, business offices, and external vendors to ground your ePHI risk analysis in real operations.

Identify threats and vulnerabilities

  • Consider ransomware, lost/stolen devices, snooping, misdirected faxes, ex-employee access, unsecured Wi‑Fi, and disaster scenarios.
  • Evaluate gaps in administrative safeguards, physical safeguards, and technical safeguards that could expose residents’ information.

Score risk and plan remediation

  • Rate likelihood and impact, then prioritize actions that most reduce risk (for example, MFA rollout, device encryption, access cleanup).
  • Assign owners, timelines, and success metrics; track progress in a living risk management plan.

Document and revisit

  • Record methods, findings, decisions, and approvals; retain this and related artifacts per documentation retention requirements (at least six years is a common standard).
  • Reassess after major changes (system upgrades, mergers, new vendors) and at least annually.

Develop Detailed Policies and Procedures

Translate rules into daily practice

  • Write procedures that reflect how your nurses, CNAs, therapists, and business office staff actually work.
  • Include clear steps, forms, and responsible roles so staff can follow them under pressure.

Administrative safeguards

  • Designate privacy and security officers, define minimum necessary uses, and maintain sanction and workforce clearance procedures.
  • Establish change control, vendor management, contingency planning, and regular management review.

Physical safeguards

  • Control facility access, secure medication rooms and nursing stations, use privacy screens, lock server/network closets, and define device/media controls.

Technical safeguards

Documentation retention requirements

  • Maintain policies, procedures, risk analyses, training rosters, access reviews, incident reports, and Business Associate Agreements for at least six years.
  • Version, date, and approve every document; store in a searchable repository accessible to auditors.

Provide Workforce HIPAA Training

Build competence and accountability

  • Cover Privacy and Security Rule basics, permitted uses/disclosures, minimum necessary, safe handling of resident charts, and reporting channels.
  • Teach device hygiene, phishing awareness, secure texting, and proper eFax/email procedures common to long-term care.

Frequency and proof

  • Train during onboarding and whenever policies or systems materially change; provide annual refreshers as a best practice.
  • Keep sign‑ins, completion scores, and acknowledgments; track role-based modules for clinical, billing, and IT staff.

Reinforce with drills

  • Use short tabletop exercises and spot checks (for example, unattended workstations, badge sharing) to confirm learning sticks.

Establish Business Associate Agreements

Identify all Business Associates

  • List vendors that handle PHI: EHR and eMAR providers, billing and collections, pharmacies, labs, radiology, transport, cloud hosting, shredding, and consultants.

Core BAA provisions to include

  • Permitted and required uses/disclosures of PHI and ePHI.
  • Safeguard obligations aligned to administrative, physical, and technical safeguards.
  • Timely breach and security incident reporting with defined timeframes.
  • Flow‑down requirements to subcontractors, right to audit/assure compliance, and cooperation in investigations.
  • Return or secure destruction of PHI at termination and retention of documentation for at least six years.

Ongoing oversight

  • Perform vendor due diligence, keep an inventory of active BAAs, and review security attestations and incident history annually.

Implement Robust Access Controls

Minimum necessary, enforced

  • Define role‑based access by job function; review and recertify quarterly, especially for float staff and PRN roles.
  • Use unique IDs only—no shared accounts—and immediately disable access at termination.

Authentication and session management

  • Enforce strong passwords, multi‑factor authentication for remote or high‑risk systems, account lockout, and automatic logoff at shared workstations.

Data encryption standards

  • Encrypt data at rest (for example, full‑disk encryption such as AES‑256) and in transit (TLS 1.2+); enable remote wipe on laptops and mobile devices.

Support with physical safeguards

  • Use badge access for server rooms, secure paper records, and prohibit storing ePHI on removable media unless encrypted and signed out.

Maintain and Review Audit Logs

Capture the right events

  • Log EHR access, eMAR updates, file shares, email, VPN, firewalls, endpoint security, and eFax systems.
  • Record user ID, timestamp, resident record, action (view/edit/export), source device, and location when available.

Audit log monitoring in practice

  • Centralize logs and configure alerts for high‑risk patterns: after‑hours access, bulk exports, VIP record snooping, failed logins, and privilege changes.
  • Review exception reports daily or weekly; document findings, remediation, and any sanctions applied.

Retention and reporting

  • Retain logs per your risk analysis and state requirements; many facilities align with six‑year documentation retention requirements for consistency.
  • Test auditor‑ready reports (for example, “who accessed Resident X between May 1–31”) to ensure completeness.

Prepare Incident Response Plan

Incident response protocol

  • Define steps to detect, triage, contain, eradicate, and recover from security incidents; include roles, on‑call contacts, and decision criteria.
  • Pre‑stage evidence collection, legal/privacy consultation, and resident care continuity procedures.

Breach analysis and notification

  • Use the four‑factor assessment (data type/sensitivity, unauthorized person, whether data was acquired/viewed, and mitigation) to determine breach status.
  • For breaches of unsecured PHI, notify affected individuals and regulators without unreasonable delay and no later than 60 days; document rationale and timelines.

Test, learn, improve

  • Run semiannual tabletop exercises (for example, misdirected fax, ransomware on nursing station PC) and feed lessons learned into policies, training, and controls.

Conclusion

By grounding your HIPAA audit preparation in risk assessments, enforceable policies, targeted training, strong access controls, audit log monitoring, and a tested incident response protocol, you create defensible proof of compliance and a safer environment for residents’ information.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

FAQs

What are the key elements of a HIPAA risk assessment?

Start with a full inventory of systems and data flows containing ePHI, then identify threats and vulnerabilities across administrative, physical, and technical safeguards. Score likelihood and impact, prioritize remediation, assign owners and deadlines, and document everything. Reassess at least annually or after significant changes, and retain records per documentation retention requirements.

How often should long-term care facilities train their workforce on HIPAA?

Provide training at onboarding and whenever policies, systems, or roles materially change. Add an annual refresher to reinforce expectations, address emerging threats like phishing, and document comprehension. Keep rosters, dates, and acknowledgments as proof during audits.

What must be included in Business Associate Agreements?

BAAs should define permitted uses/disclosures of PHI, require appropriate safeguards, mandate prompt reporting of breaches and security incidents, flow down obligations to subcontractors, allow reasonable oversight, and specify return or destruction of PHI at termination. They should also address documentation retention requirements and cooperation during investigations.

How do audit logs help in HIPAA compliance monitoring?

Audit logs provide a trace of who accessed what, when, and from where, enabling rapid detection of unauthorized activity, investigation of complaints, and enforcement of the minimum necessary standard. Regular audit log monitoring surfaces risky patterns early, supports sanctions when needed, and supplies auditor‑ready evidence of ongoing compliance.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles