alphaspirit - Fotolia

Manage Learn to apply best practices and optimize your operations.

HIPAA audit preparation: Is your company ready?

HIPAA audits have increased in 2014. Expert Mike Chapple offers guidance to get your enterprise's compliance plan audit-ready.

I read that the Department of Health and Human Services has made periodic HIPAA-related audits a focus in 2014 after running into funding issues in 2013. My company handles personal health information (PHI) that falls under HIPAA guidance, but we've yet to go through such an audit from HHS. What preparations can we make before an auditor shows up at our door? Is there anything in particular that HHS will be looking for?

The Office for Civil Rights within the Department of Health and Human Services announced that it has initiated audits of HIPAA-covered entities and business associates in 2014. This audit program, initially started as a pilot in 2012, was not funded in the 2013 budget, but the department has now designated it as a priority.

Unlike the pilot program, regulators expect the 2014 audits to be narrow in scope but broad in application. This means that the audits will likely target more than the 115 organizations included in the pilot program, but they will be focused on specific issues rather than a sweeping review of compliance with the HIPAA Omnibus Rule. Details are not yet available on the specific issues that HHS will focus on, but expect them to center around areas that have been the subject of recent enforcement actions, such as permissible uses and disclosures of PHI, safeguards for PHI and patient access to PHI.

If you are the subject of a HIPAA audit, expect the process to run similarly to other audits that you've experienced. Companies will receive advance notification about the duration, timing and scope of the audit and possibly be asked to gather materials in advance to make the audit process run more smoothly. The more done to prepare the documentation requested by auditors in advance, the less time they will need to spend on-site -- that's a good thing!

Now would be a good time to dust off your HIPAA compliance plan and ensure that you have all of your i's dotted and t's crossed. The simple truth is that an organization that hasn't diligently planned, implemented and documented its HIPAA compliance strategy won't be able to "cram for the test" in order to pass an audit.

Assuming you're then satisfied that your organization is indeed HIPAA-compliant, turn your attention to organizing your HIPAA documentation in advance of an auditor's arrival. In terms of specific points of emphasis, make sure that you've documented your mandatory risk assessment and documented your compliance plan. Audits always go more smoothly when your paperwork is in order!

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Check out this HIPAA compliance manual

This was last published in August 2014

Dig Deeper on HIPAA

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Good stuff Mike!

A couple of things I've noticed about HIPAA covered entities and their subcontractors is 1) the assumption that documentation is enough for compliance and 2) even though the requirement has been in force for almost 10 years, the complete absence of any technical security testing of systems that process/store PHI - i.e. EHR Web applications, servers, databases, you name it. Scary stuff for the population at large.