Pricing for a HIPAA audit depends on scoping factors, including what type of audit you need, physical locations, third parties, and if the audit is combined with any others. Pricing will also vary with the inclusion of a gap analysis or additional remediation time.

The average HIPAA audit can take anywhere from weeks to months, depending on your level of preparedness and staff’s availability for interviews and control demonstration. To satisfy the audit requirements for an engagement, the auditor must validate scope, perform testing procedures, and document conclusions. These steps require time from the service organization’s management, which can be compressed or extended to meet your timeline needs. You can save time by leveraging the Online Audit Manager to maintain the audit evidence you need for compliance.

A HIPAA audit culminates in a HIPAA report. The components and formatting of HIPAA reports delivered by KirkpatrickPrice are written by our in-house Professional Writing team and written based off of CERT/CC, the SANS Institute, and NIST standards. Organizations can provide their HIPAA report to outside parties to show independent third-party verification regarding the

fairness and suitability of their information security management, controls, and practices that protect PHI.

The opinion stated in a HIPAA audit report is valid for twelve months following the date that the report was issued.

Industry standard is to schedule a HIPAA audit to be performed annually or when significant changes are made that will impact the control environment. Any frequency less than that will demonstrate a lack of commitment to compliance, plus it may cause distrust in the service organization’s systems.