TrustCloud raises $15M, led by ServiceNow Ventures, with participation from Cisco Investments. Read more →
Search
Schedule a Demo
Updated on September 3, 2024

Define your HIPAA Audit Scope

Estimated reading: 5 minutes 1997 views

Overview

Define your HIPAA Audit Scope to set the boundaries of the audit and identify the object in focus.

The object can include the people, data, system, or product in review. The scope definition allows the auditors to focus on an aspect of the organization rather than the whole. It is important to clearly define the scope of review for your given audit.

Determining your HIPAA audit scope requires your organization to specify the product, the data, the systems, vendors, and type of scope.

This article guides you on how to determine each scope item. A table listing each item is provided below to use as a template for this exercise.

HIPAA audit scope

Learn more about TrustCloud’s TrustOps for HIPAA!

Product(s) in scope

For a Software as a Service (SaaS) provider, the scope is typically the software application(s) offered to clients. Some organizations have multiple products, and it is important to define what product is in focus and what product isn’t for your HIPAA.

When conducting a HIPAA audit, it is essential to identify the products that fall within the scope of the audit. These products refer to any technology or software that stores, processes, or transmits electronic protected health information (ePHI). This includes electronic health record systems, health information exchanges, email systems, mobile devices, and cloud storage platforms.

Additionally, any third-party applications or vendors that have access to ePHI should also be included in the scope of the audit. By accurately delineating the products in HIPAA audit scope, organizations can ensure comprehensive compliance with HIPAA regulations and protect the privacy and security of patient data.

Data in scope

In order to identify the data in HIPAA audit scope, the ideal step is to focus on the type of data and people that flow through the product or service identified. For a SaaS provider, it’s typically all the data held in it (i.e., customer data, etc.) and the people that support it, such as vendors and employees.

Systems in scope

To identify all your systems in HIPAA audit scope, take an inventory of all the various systems and internal controls that are critical to delivering your service or product in scope. This can include email and Slack. The key is to focus on the systems and tools that are essential to delivering your service / product. Production systems have a direct impact on your product or service in lieu of non-production systems.

For HR systems, focus on systems that manage employee onboarding and training processes. Everything else, such as time off requests and benefits, is out of HIPAA audit scope since it is not critical to delivering a service or product.

For a SaaS provider, it’s typically all the infrastructure that hosts it and the procedures that support it, such as AWS, Github, JIRA, etc.

Vendors in HIPAA audit scope

In order to identify the vendors in HIPAA audit scope, focus on the critical vendors, such as cloud hosting and production-related organizations used to support the product or service in scope.

Are you a business associate or a covered entity?

Scoping changes drastically based on whether you qualify as a covered entity or a business associate.

Covered entities include:

  1. Healthcare providers such as hospitals, clinics, doctors offices, pharmacies, and home health agencies.
  2. Health plans such as government programs that pay for healthcare, health insurance companies, health maintenance programs, and military and veterans’ health programs.
  3. Healthcare clearinghouses, i.e., organizations that act as the go-betweens for healthcare providers and insurance providers.

Business Associates perform services on behalf of covered entities and include, but are not limited to:

  1. Third-party administrators
  2. Billing companies
  3. Transcriptionists
  4. Cloud service providers
  5. Data storage firms: electronic and physical records
  6. EHR providers
  7. Consultants
  8. Pharmacy benefits managers
  9. Claims processors
  10. Collections agencies
  11. Medical device manufacturers

Use the HHS question and answer decision tool to determine whether your organization is a Business Associate or a Covered Entity. This is a determination that must occur with your Legal department.

HIPAA Rule in scope

The HIPAA regulation is composed of three rules: Privacy, Security, and Breach notification.

  1. The security rule is mandatory for both covered entities and business associates
  2. The privacy rule is mandatory for covered entity only
  3. The breach notification rule is mandatory for covered entity and optional for business associates

HIPAA Audit Scope guidance template

Scoping guidance
Provide a detailed description of your organization’s products or services.

Focus on the product or service under review
Provide the type of data and people that flow through the product or service under review 
Please provide the list of systems / tools that flow through or support the product or service under review
Please provide the list of critical vendors being used to support the product or service under review
Confirm your HIPAA identity

·       Covered Entity

·       Business Associate
Confirm your HIPAA audit scope.

·       Security Rule (Mandatory)

·       Breach Notification Rule – (Optional) for Business Associate & (Mandatory) for Covered Entity 

·       Privacy Rule – (Optional) for Business Associate & (Mandatory) for Covered Entity 

Read our GRC Launchpad articles on compliance to learn more.

Join the conversation

You might also be interested in

1 week ago

NIST CSF Overview and Guides

The NIST CSF Overview and Guides talk about the Cybersecurity Framework (CSF), which is...
Read more
3 weeks ago

Boost resilient security posture: Proven 10 steps for strong controls

Discover ten expert steps to easily implement controls and build a resilient security posture....
Read more
1 month ago

Unlock business success: Choose the right control framework

The journey toward selecting the right control frameworks is not just a compliance exercise;...
Read more
1 month ago

Vital data privacy & AI ethics: Essential practices every organization must follow

Learn how to strengthen data privacy while using AI. Discover ethical best practices to...
Read more
1 month ago

Master change management in GRC: Build effective policies for 2025

Learn how to create change management policies that reduce risk, support compliance, and drive...
Read more
2 months ago

Essentials for workstation monitoring: Safeguard trust, compliance & security

Explore key takeaways on monitoring employee workstations: balancing security and privacy, ensuring compliance, and...
Read more
2 months ago

Unlock effective agile compliance management strategies for evolving regulations

Discover effective agile compliance management strategies to navigate evolving regulatory frameworks. Learn how to...
Read more
2 months ago

Why are employee all hands meetings important?

Discover how all-hands meetings boost communication, transparency, and engagement. Learn how to run impactful...
Read more
Trusty

Want to see how to turn security into a profit center?

Ready to save time and money on audits, pass security reviews faster, and manage enterprise-wide risk? Let’s talk! 

Learn More
TrustCommunity Logo

The #1 Community for Security, Privacy, and GRC Professionals.

© 2025 TrustCloud Corporation. All rights reserved. TrustCloud®, TrustOps®, TrustShare®, TrustRegister® and TrustHQ® are registered trademarks of TrustCloud Corporation.
Facebook Linkedin Youtube Rss

Resources

Platform

TOPICS

ABOUT US

AICPA
Monitored by TrustCloud
💛 Joyfully Crafted to Elevate Security and GRC Leaders into Trust Champions.
OR

TrustCommunity

Instant support with our AI chatbot

Please login with your TrustCloud credentials to continue

Login