Documentation is Required by HIPAA and can end an audit:
At a minimum your practice needs to have a Threat Assesment done. Documentation of security measures taken and employee education undertaken regarding HIPAA needs to be kept current. Should OCR institute an audit against a practice good documentation can often end it there.
As part of our service to small and medium sized practices CYRSS offers HIPAA compliant security threat assessment and security documentation packages.
We watch so you don't have too.