The HIPAA Security Rule requires organizations,
at a minimum, to conduct periodic internal audits to evaluate processes and
procedures intended to secure confidential or "protected health
information" (PHI) (45 CFR 164.308(a)(8)). It is often advisable to seek
an external review or audit but the provisions of the security rule do not
specifically require this. In most cases, this will be determined by the size
of the organization, line of business, and, sometimes, contract requirements
(i.e., Medicare, Medicaid, etc.).