alphaspirit - Fotolia

Get started Bring yourself up to speed with our introductory content.

How can health organizations prepare for HIPAA audits?

The long-awaited HIPAA audits conducted randomly by HHS are finally supposed to happen in 2015, but with stricter requirements. Here's how organizations can get ready.

2014 proved to be a big year in HIPAA violations and health data breaches. As a result, the U.S. Department of Health and Human Services (HHS) intends to perform random audits of health organizations that are supposedly stricter than ever before. How should my health organization prepare for such an audit? What is the HHS getting stricter about?

The biggest change in the upcoming HIPAA audits is they are increasing dramatically in scope. The audit program began in 2012 as a pilot program and was supposed to roll out to a broader array of covered entities the following year. Unfortunately for the HHS -- and fortunately for covered entities -- a series of budget cuts and operational problems delayed the broader rollout of the program. The word from HHS is that the implementation of the audit program will begin in earnest in 2015.

What should you expect if you are among those covered entities selected for a HIPAA audit? The HHS Office for Civil Rights, which is responsible for the audit program, publishes detailed audit guidance on its website. A full audit includes three elements, but items may be eliminated depending upon the nature of the audited entity. The elements of a HIPAA audit focus on protected health information (PHI) and include:

  • Privacy Rule requirements around the notice of privacy practices, the right to request privacy protection, individuals' access to PHI, administrative requirements, uses and disclosures of PHI, amendment of PHI and accounting of disclosures;
  • Security Rule requirements for administrative, technical and physical safeguards; and
  • Breach Notification Rule requirements.

How should organizations prepare for HIPAA audits? The most important thing is to make sure compliance with each HIPAA requirement is documented. If your organization implemented a required or addressable control, what are the specific measures it's taken to comply? Where are the records related to that control that proves compliance? In cases where the organization has opted not to implement an addressable control, what is the process it followed to reach the conclusion that the control is not necessary in its environment?

A HIPAA audit is a very serious matter. The HHS OCR has a history of issuing substantial fines against covered entities who fail to comply with HIPAA. Taking the time now to prepare for an audit may save a lot of heartache down the road.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out more expert advice to help prepare your company for HIPAA audits.

This was last published in May 2015

Dig Deeper on HIPAA