The HIPAA security rule requires covered entities to conduct four types of audits. Three are periodic, and one is annual. The periodic audits include an information systems activity review, user login monitoring, and audit log review (from systems, databases, etc., for storage, use, and disclosure of PHI). The annual audit is called an evaluation and is more commonly known as a compliance audit.
Documentation is a primary requirement of demonstrating HIPAA compliance. Documentation includes retaining written or electronic results of a risk analysis, documenting the results of an audit, developing and implementing comprehensive privacy and security policies and procedures, and documenting staff training and security incident responses.