Gajus - Fotolia

Get started Bring yourself up to speed with our introductory content.

How can organizations prepare for a HIPAA audit?

HIPAA audits are finally on the way, and organizations need to be ready. Expert Mike Chapple reveals the best way to prepare your company for a HIPAA audit.

Despite the Office of Civil Rights audits for HIPAA being postponed, I'd still like my organization to be prepared if we need to be. What types of organizations are eligible for OCR audits? What are some good ways to prepare for them? What are the penalties if you are found to be noncompliant?

HIPAA audits are coming. If it seems like you heard that a few times, but the audits never materialized, you're right. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) conducted a pilot HIPAA audit program in 2012 and a broader rollout was expected in 2013 but was delayed by funding cuts. The program was then expected to begin in 2014 but experienced additional delays; now the OCR says that the audits will begin sometime this year, though the agency hasn't yet committed to a firm timetable.

It is definitely a good time to review your audit preparedness. How can you do that? Fortunately, OCR publishes its entire audit protocol on the Web. There are no surprises during a HIPAA audit since the protocol spells out the procedures auditors must follow when conducting a program audit. For example, when auditors are examining an organization's workforce clearance process, they must follow this procedure:

"Inquire of management as to whether procedures exist for granting access to ePHI. Obtain and review policy and procedures and evaluate the content in relation to the relevant specified performance criteria. Obtain and review evidence of approval or verification of access to ePHI. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so."

No secrets there. So, what should you do to prepare for an audit? Download the OCR audit procedure and walk through it for your organization. If there is a question you're not able to answer with clear and convincing evidence, that's likely where your organization will stumble during an audit.

Passing an audit is important. Organizations that fail audits may become the targets of HHS compliance actions, which can result in fines and other penalties. OCR provides detailed information on its website about organizations that received HIPAA compliance fines ranging into the millions of dollars. You don't want your company to appear on that list.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts?Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out more HIPAA audit prep advice from Mike Chapple

Find out more about the HHS security risk assessment tool for HIPAA audit prep

This was last published in April 2015

Dig Deeper on HIPAA