Many 3rd-party firms can assist healthcare organizations prepare for and help prevent HIPAA audits. They provide training for employees, checklists, software to track processes and procedures, templates, etc.
What is a SOC 2 audit and would it be helpful to have for an OCR HIPAA audit?
The internal controls of a service organization can be assessed with a SOC 2 audit. It was created to ascertain if service organizations are compliant with the HIPAA principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). A SOC 2 audit must be conducted by a CPA firm and are typically expensive. Having a SOC 2 audit performed by an independent 3rd-party annually would be an excellent risk mitigation action. If your healthcare organization was ever audited by the OCR, you would immediately have a lot of valuable information available to prove your HIPAA compliance. Having annual internal HIPAA audit documentation would be valuable, but a SOC 2 attestation even more so. This can be even greater assurance that PHI is maintained securely and privately. Furthermore, when your patients, customers, vendors, and stakeholders perform any kind of due diligence on your organization, a SOC 2 audit will communicate your commitment to HIPAA.