HIPAA Audits: What They Are, What to Expect, What to Do

Get fully informed about HIPAA audits & how to best prepare for them!

What is a HIPAA Compliance Audit?

A HIPAA audit evaluates compliance of a covered entity or business associate with the Health Insurance Portability and Accountability Act (HIPAA).
Audits typically start with a request for documents and data.  They may ask for data records, policies, procedures, training records, or other details. This information is then evaluated to reach conclusions. The audit could be resolved very quickly if all the information supports the fact that an organization is in HIPAA compliance.  After the audit is performed, an organization is given a draft report and then has the opportunity to respond to the findings. The final audit report will include these as well.
HIPAA also requires covered entities and business associates perform their own internal audits at least annually.  Many large organizations will perform internal audits twice a year or even quarterly, depending upon changes in technology, policies, procedures, etc.

Who Conducts HIPAA Audits?

The Office for Civil Rights in the United States periodically conducts HIPAA compliance audits on healthcare organizations.
HIPAA audits can be conducted at random but mostly are on large organizations due to OCR's limited resources. From 2016 to 2017, the OCR conducted audits of 166 covered entities and 41 business associates.  In April 2019, HHS randomly selected 9 health plans and clearing houses for Compliance Reviews. In the past, HHS has randomly sent out questionnaires to health care organizations. Based on those answers, they decide which organizations to audit.
The U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) first began conducting HIPAA audits in 2014. OCR conducts these periodic audits of covered entities and business associates to ensure that they follow HIPAA privacy, security, and breach notification rules. The audit goal is to ensure that paper and electronic PHI remain secure, private and protected.  During the audit the OCR assesses the security policies, controls, and processes of your organization.

HIPAA Audit Requirements

The OCR will review the following areas which can also be used as an outline to create your own internal audits:
  1. Privacy Standards
  2. Security Rule Standards
  3. Security IT Risk Assessment
  4. Physical Site
  5. Asset and Device
  6. HITECH Subtitle D

Privacy Rule Audits

  • Privacy Standards: Requires the documentation and review of policies and procedures with the Privacy Rule to protect health information and train employees and contractors on these policies.

Security Rule Audits

  • Security Rule Standards: Organizations must implement policies and procedures that comply with the Security Rule. These are to be reviewed each year. Employees and contractors must also receive security training.
  • Security IT Risk Assessment: An annual analysis must be conducted to document and remediate security risks.
  • Physical Site: Policies and procedures to limit physical access to PHI must be in place and evaluated and modified as needed.
  • Asset and Device: Security protection policies and procedures for electronic media must be in place. They should be evaluated and modified as needed.

Breach Notification Rules Audits

  • HITECH Subtitle D: Policies and procedures related to breach notifications must be in place. Healthcare workers must also be trained on the timing and deadlines for such notifications should it beach occur.

Physical Site Audits and Home Offices

With telehealth growing, many telehealth and healthcare professionals now work from home. HIPAA regulations still require a physical site office audit since this is where paper-based PHI in stored.

Audit Logs

Audit logs of all critical hardware and software systems is an important part of HIPAA audit.

Do You Need HIPAA Compliance Audit Software?

Many 3rd-party firms can assist healthcare organizations prepare for and help prevent HIPAA audits. They provide training for employees, checklists, software to track processes and procedures, templates, etc.
What is a SOC 2 audit and would it be helpful to have for an OCR HIPAA audit?
The internal controls of a service organization can be assessed with a SOC 2 audit. It was created to ascertain if service organizations are compliant with the HIPAA principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). A SOC 2 audit must be conducted by a CPA firm and are typically expensive.  Having a SOC 2 audit performed by an independent 3rd-party annually would be an excellent risk mitigation action. If your healthcare organization was ever audited by the OCR, you would immediately have a lot of valuable information available to prove your HIPAA compliance. Having annual internal HIPAA audit documentation would be valuable, but a SOC 2 attestation even more so. This can be even greater assurance that PHI is maintained securely and privately. Furthermore, when your patients, customers, vendors, and stakeholders perform any kind of due diligence on your organization, a SOC 2 audit will communicate your commitment to HIPAA.

What is Title II Under HIPAA Regulations?

Under the HIPAA umbrella of guidelines, there are five sections, perhaps none more important than Title II for IT departments. What does Title II cover exactly? This two-fold section covers both the laws and security of PHI, including electronic PHI. Read here for more information.

Title II:  HIPAA Administrative Simplification

"The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.
"The U.S. Department of Health and Human Services (DHHS) develops and publishes the rules pertaining to the implementation of HIPAA and standards to be used.  All health care organizations impacted by HIPAA are required to comply with the standards."

What are Examples of HIPAA Violations?

Perhaps one of the best ways to ensure you always keep PHI safe and remain compliant is to know what certain HIPAA violations include. A list recently compiled by phoenixNAP Global IT Services includes the following examples:
  • Sending a text message that contains PHI. Remember to always use an encrypted form of transmission when working with PHI.
  • Accessing patient data on a personal mobile device or home computer.
  • Failure to remove access of former employees or current employees who no longer need to view PHI is negligent.
  • Lacking proper documentation of HIPAA compliance efforts within your organization.
For more information, see Giva's list of most common HIPAA violations.

What Types of Penalties Can an Organization Face for Non-Compliance with HIPAA?

There are four tiers of penalties when it comes to non-compliance with HIPAA. Willful negligence is serious, though all categories come with steep fines, which range of $127 dollars up to almost $2 million per violation.
Company Officers can also be at risk for jail time up to ten years and fines of up to 250,000 dollars for each HIPAA related violation.
An example from 2017, occurring at the Memorial Health Care System in Hollywood, Florida, further reinforces the severity of punishment for non-compliance. This private healthcare provider, that operates six hospitals, among other specialized treatment centers, was fined 5.5 million dollars for the PHI leak of 115,143 individuals. In this instance, PHI was accessed without permission by its employees. It was subsequently disclosed without permission to affiliated physician office staff. More about this case can be read at the U.S. Department of Health & Human Services (HHS) website.

How to Prepare for a HIPAA Audit

By far the best way to prepare for a HIPAA audit is to be proactive every day and take all the necessary steps to maintain HIPAA compliance prior to an audit.  Preventing the disclosure of PHI is also a social good; society is better off with this privacy. Healthcare organizations can stay reputable and favorable with patients by maintaining HIPAA compliance.
An article on HIPAA Compliance Audits written by phoenixNAP Global IT Services notes that there are several steps to prepare for a future HIPAA audit. The following three are requirements and should be undertaken regularly to help in achieving a passing score.
  1. Ensure All Employees are Trained on HIPAA

    If employees are not well-informed on the requirements of HIPAA, it may be hard to follow its guidelines. This will not only affect your score during an audit, but it could also put your patient's PHI at risk.
    Create training modules for employees and document their progress and completion. This would immediately demonstrate your commitment to HIPAA compliance with the OCR upon their visit.
  2. Create a Risk Assessment and Management Plan

    Risk assessments and management plans are a requirement. These plans should look at the entirety of your organization and all possible risks that could contribute to a breach of data. It is a requirement that the risk assessment is recorded in writing and kept in an accessible location.
    Though many organizations do as much as possible to avoid potential breaches, they are sometimes inevitable. When danger hits, there must also be a plan to manage the loss, no matter the scale. This plan should also be accessible to all employees dealing with PHI.
  3. Name a Security and Privacy Officer

    A requirement under HIPAA's guidelines is that each covered organization is to name a Security and Privacy Officer. Although some may hire externally to fill this position, small or medium-sized organizations may opt to name someone internally for these additional duties. Overall, this individual will develop the PHI privacy and security plans for the organization.
    This person should:
    • Keep close contact with the IT team to implement measures and monitor new potential threats
    • Maintain detailed records of previous data breaches
    • Keep all other stakeholders informed of the status of HIPAA compliance in the organization
  4. Understand Audit Questions

    The questions during the audit will depend upon what type of audit the OCR is conducting.  There are many kinds of HIPAA audits depending upon which violations the OCR may be auditing for.  Each type of audit has its own criteria.
    The OCR provides eight general instructions for entities undergoing a HIPAA audit. The details can be found in an audit protocol resource from the HHS located here:
    1. Where the document says "entity," it means both covered entities and business associates unless identified as one or the other.
    2. Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards.
    3. Entities must provide only the specified documents, not compendiums of all entity policies or procedures. The auditor will not search for relevant documentation that may be contained within such compilations.
    4. Unless otherwise specified, all document requests are for versions in use as of the date of the audit notification and document request.
    5. Unless otherwise specified, selected entities should submit documents via OCR's secure online web portal in PDF, MS Word or MS Excel formats.
    6. If the requested number of documentations of implementation is not available, the entity must provide instances from equivalent previous time periods to complete the sample. If no documentation is available, the entity must provide a statement to that effect.
    7. Workforce members include entity employees, on-site contractors, students, and volunteers.
    8. Information systems include hardware, software, information, data, applications, communications, and people.
  5. Other Suggestions

    • Maintain copies of all business associate agreements, contracts, and HIPAA-related policies and procedures.
    • Carefully track where paper-based or electronic PHI are stored, including file cabinets, databases, servers, mobile devices, PC, laptops, etc.

Conclusion for HIPAA Compliance Audits

Regrettably, many healthcare organizations are still missing the mark on HIPAA compliance. In the last available OCR industry audit report, few interesting notes include:
  • Only 14% of the covered entities and businesses scored a 1, the highest rating, for content breach notification.
  • Only 1% of the covered entities and enterprises scored a 1 for right-of-access.
  • No covered entities and businesses scored a 1 for HIPAA security risk analysis.
Protecting PHI is important on many levels. When there is a breach of data, there is a loss of trust with your patients and the general public, who may not consider your services in the future. Being prepared during an audit will also ensure you do not receive large fines and other penalties.
Request a Live Demo
See It In Action
Assess Your Needs
Select a Tool
Try Giva's 30 Day Trial
Sign Up Today