14.6 CONCLUDING THE AUDIT

14.6.1 The Exit Interview

In general, any audit of an organization should provide the opportunity for review with management, the audit committee or other party in charge of the process. The exit interview is normally a means to ensure that proper communication has occurred between the auditor and the audited . The original engagement and understanding document should be reviewed to ensure that the scope of the engagement has been completed to the satisfaction of the organization.

14.6.2 Review the Delivered Report

The report or communication of the findings should be delivered to the appropriate parties. This document may contain information about means and methods of vulnerabilities to the system, thus the distribution of this document should be highly monitored . It should only be given to those individuals or departments previously identified as requiring access to this document.

14.6.3 Perform Remedial Action and Document Actions Taken

And finally, this audit process should be seen as a means to ensure that change management procedures are reviewed and monitored on a regular basis. This audit, whether done internally or externally, should be an educational process to allow the firm to monitor and change those procedures that are not ensuring compliance with the HIPAA guidelines.

The HIPAA privacy and security requirements should not be seen as regulatory and restrictive . They are, instead, guidance for proper handling of electronic information and should be seen by other industries as the proper means and ways to handle any sort of sensitive and private data.

The audit procedure should be seen as a means to periodically review and revisit this handling to ensure the organization continues to maintain their 'best practice' and 'best handling' of this data.