HIPAA Audits – The Wait is Over – It’s Real This Time

HIPAA Audits – The Wait is Over – It’s Real This Time

As an IT professional, there are several things that always keep you up at night when you’re responsible for the overall security and well-being of other business interests. The items change over time, but it seems there is always something, right?

Currently, the two items that concern me the most are Crypto-Ransomware attacks that are ever changing and affect all clients (I wrote on this in a recent blog here) and Phase 2 HIPAA Audits that have recently begun.

I was recently in San Antonio Texas on a Disaster Recovery and Business Continuity council meeting with an IT Industry peer who specializes in providing services for small to mid-size medical practices. His company currently services about 50 medical practices and four have already been called for audits. His biggest frustration is providing all of the information needed for not only the current years risk assessments, but also previous years. He can’t provide this information because these risk assessments were never done. Needless to say, these practices are in big trouble as they have been through the process of attestation and have previously received federal money.

I also serve many medical practices in our local marketl. The challenge in convincing these practices to be compliant is very complex. First of all, their industry has totally taken a tragic shift over the last 5 to 10 years. The government has come in and required so many changes that most physicians feel like they can only provide little care improvements for their patients, but require an exorbitant amount of additional work to be in compliance. This often puts me in a precarious position in having the responsibility to deliver a message that is very undesirable. None the less, the threat of the warning has manifested into the reality of audits… and they are now.

HIPAA Audits are Here
Although HIPAA is an important set of laws passed to protect the sensitive medical information handled by millions of covered entities and business associates, Health and Human Services Office for Civil Rights (OCR) has never established a permanent compliance audit program. Auditing activity to date by OCR has consisted of a pilot program of audits conducted in 2011 and 2012, involving less than 200 covered entities.  It is no wonder that many medical providers have had little concern about being subjected to a HIPAA compliance audit, and hence, many have made compliance a low priority.  They have never been audited nor have they heard of anyone who has. This situation is going to change now.

On March 21, 2016, OCR announced its Phase 2 Audit Program.   With the alarming increase in patient data breaches, OCR has felt intense pressure from Congress and The Office of the Inspector General (OIG) to get this long delayed program underway.  Organizations subject to HIPAA regulations need to take this development seriously as it is a signal that they must now put their compliance programs in place.

Who will be audited?
Unlike the Phase I Pilot Audits, Phase 2 will not be limited to larger covered entities. OCR is aware that the vast majority of smaller organizations are not HIPAA compliant. They also know there is a serious compliance gap among business associates, so Phase 2 will cover a larger and more diverse pool of organizations.  According to the OCR website:

“OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.  By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry – factoring in size, types and operations of potential auditees.”

Who will be audited?
Organizations will be contacted via email  to obtain and verify contact information (PDF).  It will be important to ensure that this email does not end up in a SPAM or junk folder, to avoid being flagged as not responding.  Failing to respond will invite additional scrutiny.  Just the act of contacting entities to let them know they are eligible should give that organization a good reason to start paying attention to HIPAA, if they have not done so already. Organizations will be required to complete a pre-audit questionnaire.  Once this data has been collected, OCR will select organizations to participate in the actual audit program.

What is the process?
If you are selected for an audit, it will most likely be a desk audit.  This means that you will be required to upload specified documents to a secure portal that OCR has developed for this purpose.  The specific documents requested have not yet been identified, so organizations should prepare for this by putting a comprehensive compliance program in place as it will provide all of the documentation which could be requested.  You will have only 10 business days to upload your documents. After the documents are uploaded, they will be reviewed by an investigator.  The results of the audit will obviously vary, but a further compliance review could be initiated.  No one should take this program lightly – late, incomplete or inappropriate responses could be very costly.

Is this just a one-time event?
This is a precursor to a permanent audit program. Prudent organizations should assume they will be audited sooner or later.

What should I do right now? Help me!
Our HIPAA compliance service will get you fully prepared for the upcoming audit program.  However, we will be going one step further.  If your organization is selected for the audit, we will provide assistance in helping you to respond. Contact me today and I will schedule a time for a free consultation.

There still many unanswered questions about the program. OCR Will have to fill in the details over the coming weeks and months. However, one thing is clear – if you’re subject to HIPAA, you should be preparing to get audited. We have worked diligently to provide a comprehensive and easy solution for compliance. Contact me today and I will schedule a time for a free consultation.

Thanks so much for reading our blog.


Phillip D. Long

Business Information Solutions, Inc.

For more information about Business Information Solutions please visit the BIS Website. BIS, Inc. provides Network Consulting and  Proactive IT Support for businesses along the Gulf Coast from  Gulfport and Biloxi MS through Mobile AL and on to Pensacola FL.