Call us at 800-886-6674



What to expect from a HIPAA Compliance Audit

Posted Fri, October 30, 2015 by Array

Data security isn’t just a popular buzzword in today’s tech community. It’s a very real concern across industries, but our clients in health and medicine face challenges most industries do not, and those challenges are only increasing. The Office of Civil Rights recently announced an expansion of their HIPAA compliance audits, and while the risk of facing an audit is low, the risks of failing an audit are tremendous.

HIPAA violations, typically identified in investigations prompted by patient complaints, can cost a health provider hundreds of thousands, or even millions, of dollars. The OCR’s more aggressive schedule of audits will only mean more providers will find their security measures under the microscope.

Who must comply

Health care providers, from individual doctors all the way to major hospitals, are required to comply with the privacy and security measures in HIPAA. Also included under the act are healthcare clearinghouses, and health plans. That final group also includes employers and schools who have protected health information records.

These groups, called Covered Entities, engage in business with a second group that must also comply with these regulations – Business Associates. Business Associates include service providers and vendors who have access to PHI. This can include IT services, payment processors, claims processors, third-party administrators, attorneys, consultants and many more.

What to expect

Phase 2 of the OCR’s audit program began with a series of pre-audit surveys mailed out earlier this year. Unlike the pilot audit program, Phase 2 will largely consist of “desk audits” handled internally, instead of the on-site field work of the first phase. This second phase also differs from Phase 1 in that it has been expanded to investigate both Covered Entities and Business Associates, instead of the CE-focused pilot audits.

Phase 2 builds on the information uncovered in Phase 1 – instead of a broad, comprehensive audit, Phase 2 audits will be targeted at areas of weakness uncovered in the Phase 1 program. OCR’s stated intent in the Phase 2 audits is to determine what technical assistance the office should develop for CEs. It is possible, though, for serious violations to result in additional reviews and fines.

Covered Entities selected for the audit will be asked to deliver contact information for their business associates – this will form the pool of associates who might be selected for audits.

Recent statements by the OCR have indicated that while most audits will be “desk audits,” they will still be conducting some comprehensive on-site investigations as well.

For those entities receiving a desk audit, it is critical that you supply comprehensive, thorough information. Auditors will not be able to reach out for additional information, so any gaps could trigger a more serious compliance review. Entities will have two weeks from the time they are notified to deliver the requested information.

The audits will focus on Privacy Rule requirements, Security Rule requirements, and the requirements of the Breach Notification Rule. You may be required to submit policies and procedures, documentation, plans, and risk assessments.


In 2009, the government enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act. Its primary purpose was to help foster IT in healthcare, and in doing so, regulate the storage and transmission of electronic protected health information (ePHI). HITECH, while a distinctly separate law, reinforces the aims of HIPAA. The advent of HITECH significantly expanded the Civil Money Penalty (CMP) for PHI privacy violations, and introduced a tiered penalty structure.

Violations are categorized in one of four ways:

Violation Category

Minimum CMP

Maximum CMP

Entity or individual did not know, and could not be expected to know, their action was a violation

$100 per violation

$50,000 per violation

$1.5 million annual max

Violation was the result of reasonable cause, not willful neglect

$1,000 per violation

$50,000 per violation

$1.5 million annual max

Violation was the result of willful neglect, but is corrected within 30 days (can be extended)

$10,000 per violation

$50,000 per violation

$1.5 million annual max

Violation is the result of willful neglect and is not corrected within 30 days (can be extended)

$50,000 per violation

$50,000 per violation

$1.5 million annual max


Preparing for the audit

The only fail-safe way to be ready for a HIPAA compliance audit is to actually be in compliance with the law. The first step toward a successful audit is a thorough risk analysis by an IT professional. A professional can help you identify physical threats to your ePHI security, as well as electronic threats.

After your risk analysis, it’s important that you take the necessary steps to correct any gaps in security. Risk analysis and risk management were significant points of failure during Phase 1 audits, and will be further scrutinized in Phase 2.

A successful audit will hinge on proper and thorough documentation of your privacy and security procedures. This should include items such as training and disciplinary documentation for personnel, documentation of disciplinary plans for violators, and PHI access rules. The Department of Health and Human Services maintains a complete breakdown of the audit protocol on their website.

Get the help you need

Achieving and maintaining HIPAA compliance can be daunting, particularly for SMBs. Many companies aren’t fully briefed on the law’s nuances, and risk running afoul of them without knowing it. Addressing security and privacy issues now means you have more time to take corrective action, before facing an audit. The audit’s two-week timeframe will leave you no time to correct your issues before the auditors have your information.

The right consultant will not only help you achieve compliance, they will help you establish a workflow that will make maintaining that compliance straightforward, creating an efficient system that saves you time and money.

Posted in : Technology |  No Comments >>
Tags : Technology , security