Worried About a Potential HIPAA audit? You Should Be.

By Chris Gray ·

For years the health care industry has dealt with the daunting challenge of understanding and determining how to comply with privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. To complicate matters, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently released a nationwide audit program to uncover violations, raising the stakes for HIPAA compliance.

Still, some health care entities have been slow in preparing for a potential audit, which can be partially attributed to the the lack of details around what requirements will be assessed during an audit. However, with the OCR’s publication of its audit protocol, the entire health care industry has been given a wakeup call.

All HIPAA covered entities, including hospitals, payers, and clearinghouses should anticipate an audit. Furthermore, if history repeats itself, those that have previously reported breaches or experienced consumer complaints to HHS should expect to receive a higher audit priority. Although HHS specifically excluded business associates from the first round of audits, they will be included in future audit cycles, according to the new criteria.

Here are the top three reasons why preparing for an audit is more critical than ever:

  1. The audit pilot program suggests that little advanced warning will be provided and documents will need to be produced within days. However, if proof that a gap analysis was completed and remediations are already being enacted, the auditors will likely show leniency.
  2. While only 115 audits will take place in 2012, the OCR has strongly hinted at an increase in enforcement activities and penalties for violations. A clear incentive for these increases is that all penalty revenue goes directly to the OCR to finance future enforcement efforts. Also, OCR Senior Advisor David Mayer indicated during his presentation at the 2012 American Health Lawyers Association Annual meeting  in Chicago, Illinois that the audit program will continue through 2013 and 2014.
  3. There are financial penalties—one of the most obvious reason why meeting compliance guidelines is pertinent. Unlike Payment Card Industry (PCI) standards in which fines tend to start out small and increase slowly over time, initial HIPAA fines have been significantly larger and tend to stay that way. In just a few months, the OCR has issued millions of dollars in financial penalties as a result of non-compliance.
Of course, there are countless other reasons why all health care entities covered under HIPAA rules need to achieve compliance now including: protecting sensitive client data, public lashing, damage to brand reputation, and legal ramifications, among others. Preparing for an OCR audit is a significant undertaking, but conducting an independent and unbiased gap assessment can help covered entities understand their compliance gaps and plan activities that bring them into compliance. It’s critical for organizations to choose a security partner with services that can address the protocols from a cursory low-level review standpoint and offer an in-depth assessment of the mandate. Any gaps that auditors have identified should be prioritized and serve as the basis for implementing remediation actions to bring the entity into compliance with all mandates. Of course the strategy used should achieve compliance in the most efficient, cost-effective approach possible. Since this process is time sensitive, covered entities and business associates should allow as much time as possible between the independent assessment and any anticipated audit.


So act now—before it’s too late.

Chris Gray

Vice President, Enterprise Security and Risk

Chris Gray is the vice president for Optiv's enterprise security and risk practice with over 15 years of experience in information technology, information security and information risk management. He leads the team in achieving customer requirements with implementing information security, risk management and compliance management programs.