HIPAA Compliance - Audit required?

Alex Schaefer Conversation starter

Hello! I've got a very simple question. Is an audit required to be fully HIPAA compliant and be able claim to be so? Or is it self attestation and some clients might require a 3rd party audit for verification?



  • Comment author
    Brenden Mariano Great answers Vanta Expert Vanta Team Member
    • Official comment

    Hi Alex!

    I'm a Senior Product Support Specialist here at Vanta - happy to help!

    HIPAA, along with a handful of other standards that Vanta supports, is self-attested and does not require an auditor to demonstrate compliance. You shouldn't worry about a client requiring you to verify via 3rd party audit, either, as the self-attestation is recognized as satisfactory universally. 

    Feel free to follow up if you have any additional related questions!


  • Comment author
    Eric Shoemaker (Vanta Admin) Conversation starter

    It is perfectly acceptable to perform an internal audit to ensure policies and practices align with HIPAA rules. If your policies and practices align and you sign a BAA with customers and vendors (those processing PHI), then you are effectively HIPAA compliant and can claim to be so. Some customers may want a 3rd party to confirm, but that has been the exception in my experience. 

    Note that a HIPAA audit is different from OCR performing an investigation into a reported violation. When a HIPAA violation is confirmed, they also consider what protections were in place. It's entirely possible for an organization with a strong security posture to suffer a leakage of PHI. An organization with few to no protections will receive significantly more severe penalties than those with robust protection measures. With that in mind, having a 3rd party perform a gap analysis is a stronger control than doing it yourself.



Please sign in to leave a comment.