HIPAA Audits: What They Are, What to Expect, What to Do

Get fully informed about HIPAA audits & how to best prepare for them!

What is a HIPAA Compliance Audit? Who Conducts Them?

HIPAA audits can be conducted at random, but random audits are conducted on mostly large organizations. As of March 2019, HHS has randomly selected 9 health plans and clearing houses for Compliance Reviews. In the past HHS has randomly sent out questionnaires to health care organizations and based upon the answers HHS decides which organizations to audit.
The U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) first began conducting HIPAA audits in 2014. OCR conducts these periodic audits of covered entities and business associates to ensure that they follow HIPAA privacy, security, and breach notification rules. The audit goal is to ensure that paper and electronic PHI remain secure, private and protected.  During the audit the OCR assesses the security policies, controls, and processes of your organization.
From 2016 to 2017, the OCR conducted audits of 166 covered entities and 41 business associates.  Audits typically start with a request for documents and data.  They may ask for data records, policies, procedures, training records, or other details. After all this information is in the hands of the OCR they will need time to process it and reach a conclusion. The audit could be resolved very quickly if all the information supports the fact that your organization is HIPAA compliance.  After the OCR performs an audit they will provide a report and the healthcare organization has the opportunity to respond the OCR's findings.
HIPAA also requires that covered entities and business associates perform their own internal audits at least annually.  Many large organizations will perform internal audits twice a year or even quarterly, depending upon if there have been changes in technology, policies, procedures, etc.

HIPAA Audit Requirements

The OCR will review the following areas which can also be used as an outline to create your own internal audits:
  1. Privacy Standards
  2. Security Rule Standards
  3. Security IT Risk Assessment
  4. Physical Site
  5. Asset and Device
  6. HITECH Subtitle D

Privacy Rule Audits

  • Privacy Standards: Requires the documentation and review of policies and procedures with the Privacy Rule to protect health information and train employees and contractors on these policies.

Security Rule Audits

  • Security Rule Standards: Organizations are required to implement policies and procedures that comply with the Security Rule and to review these each year. Employees and contractors must also receive security training.
  • Security IT Risk Assessment: A security risk analysis must be conducted annually to make sure that risks are documented and remediated.
  • Physical Site: Policies and procedures to limit physical access to PHI must be in place and evaluated and modified as needed.
  • Asset and Device: Policies and procedures to provide security protection for electronic media must be in place and evaluated and modified as needed.

Breach Notification Rules Audits

  • HITECH Subtitle D: Policies and procedures related to breach notifications must be in place. Healthcare workers must also be trained on the timing and deadlines for such notifications should it beach occur.

Physical Site Audits and Home Offices

With telehealth growing and COVID-19 many telehealth and healthcare professionals are working from home. HIPAA regulations still require a physical site office audit since this is where paper-based PHI in stored.

Audit Logs

Audit logs of all critical hardware and software systems is an important part of HIPAA audit.

Do You Need HIPAA Compliance Audit Software?

There are many 3rd party firms that can assist healthcare organizations prepare for HIPAA audits and more importantly prevent them. These firms provide training for employees, checklists, software to track processes and procedures, templates, etc.
What is a SOC 2 audit and would it be helpful to have for an OCR HIPAA audit?
The internal controls of a service organization can be assessed with a SOC 2 audit. It was created to ascertain if service organizations are compliant with the HIPAA principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). A SOC 2 audit must be conducted by a CPA firm and are typically expensive.  Having a SOC 2 audit performed by an independent 3rd party annually would be an excellent risk mitigation action. If your healthcare organization was ever audited by the OCR, you would immediately have a lot of valuable information available to prove your HIPAA compliance. Having documentation from an annual internal HIPAA audit would be valuable, but a SOC 2 attestation can be even greater assurance that PHI is maintained securely and privately. Furthermore, when your patients, customers, vendors, and stakeholders perform any kind of due diligence on your organization a SOC 2 audit will communicate your commitment to HIPAA.

What is Title II Under HIPAA Regulations?

Under the HIPAA umbrella of guidelines, there are five sections, perhaps none more important than Title II for IT departments. What does Title II cover exactly? This two-fold section covers both the laws and security of PHI, including electronic PHI. Read here for more information.

Title II:  HIPAA Administrative Simplification

"The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.
"The U.S. Department of Health and Human Services (DHHS) develops and publishes the rules pertaining to the implementation of HIPAA and standards to be used.  All health care organizations impacted by HIPAA are required to comply with the standards."

What are Examples of HIPAA Violations?

Perhaps one of the best ways to ensure you always keep PHI safe and remain compliant is to know what certain HIPAA violations include. A list recently compiled by phoenixNAP Global IT Services includes the following examples:
  • Sending a text message that contains PHI. Remember to always use an encrypted form of transmission when working with PHI.
  • Accessing patient data on a personal mobile device or home computer.
  • Failure to remove access of former employees or current employees who no longer need to view PHI is negligent.
  • Lacking proper documentation of HIPAA compliance efforts within your organization.
For more information, see Giva's list of most common HIPAA violations.

What Types of Penalties Can an Organization Face for Non-Compliance with HIPAA?

There are four tiers of penalties when it comes to non-compliance with HIPAA. Willful negligence is serious, though all categories come with steep fines that can fall in the range of 50,000 dollars up to 1.5 million dollars per violation.
Company Officers can also be at risk for jail time up to ten years and fines of up to 250,000 dollars for each HIPAA related violation.
A recent example from 2017, occurring at the Memorial Health Care System in Hollywood, Florida, further reinforces the severity of punishment for non-compliance. This private healthcare provider, that operates six hospitals, among other specialized treatment centers, was fined 5.5 million dollars for the PHI leak of 115,143 individuals. In this instance, PHI was accessed without permission by its employees and subsequently disclosed without permission to affiliated physician office staff. More about this case can be read at the U.S. Department of Health & Human Services (HHS) website.

How to Prepare for a HIPAA Audit

By far the best way to prepare for a HIPAA audit is to be proactive every day and take all the necessary steps to maintain HIPAA compliance prior to an audit.  Preventing the disclosure of PHI is also a social good; society is better off with this privacy. Maintaining HIPAA compliance is also an excellent way to maintain a healthcare organization's reputation and the goodwill of their patients.
A recent article on HIPAA Compliance Audits written by phoenixNAP Global IT Services, notes that there are several steps to take in preparation for a future HIPAA audit. The below three are requirements and should be undertaken regularly to enhance your probability of achieving a passing score.
  1. Ensure All Employees are Trained on HIPAA

    If employees are not well-informed on the requirements of HIPAA, it may be hard to follow its guidelines. This will not only affect your score during an audit, but it could also put the PHI of your patients at risk.
    Create training modules for employees and document their progress and completion. This would immediately demonstrate your commitment to HIPAA compliance with the OCR upon their visit.
  2. Create a Risk Assessment and Management Plan

    Risk assessments and management plans are a requirement. These plans should look at the entirety of your organization and all possible risks that could contribute to a breach of data. It is a requirement that the risk assessment is recorded in writing and kept in an accessible location.
    Though many organizations do as much as possible to avoid potential breaches, they are sometimes inevitable. When danger hits, there must also be a plan to manage the loss, no matter the scale. This plan should also be accessible to all employees dealing with PHI.
  3. Name a Security and Privacy Officer

    A requirement under HIPAA's guidelines is that each covered organization is to name a Security and Privacy Officer. Although some may hire an external individual to fill this position, small or medium-sized organizations may opt to name someone internally with an existing role to undertake these additional duties. Overall, this individual will be responsible for the plans surrounding the privacy and security of PHI within the organization.
    This person should keep close contact with the IT team to implement measures and monitor new potential threats. They should also maintain detailed records of previous data breaches, and keep all other stakeholders informed of the status of HIPAA compliance in the organization.
  4. Understand Audit Questions

    The questions during the audit will depend upon what type of audit the OCR is conducting.  There are many kinds of HIPAA audits depending upon which violations the OCR may be auditing for.  Each type of audit has its own criteria.
    The OCR provides eight general instructions for entities undergoing a HIPAA audit and the details can be found in an audit protocol resource from the HHS located here:
    1. Where the document says "entity," it means both covered entities and business associates unless identified as one or the other.
    2. Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards.
    3. Entities must provide only the specified documents, not compendiums of all entity policies of procedures. The auditor will not search for relevant documentation that may be contained within such compilations.
    4. Unless otherwise specified, all document requests are for versions in use as of the date of the audit notification and document request.
    5. Unless otherwise specified, selected entities should submit documents via OCR's secure online web portal in PDF, MS Word or MS Excel formats.
    6. If the requested number of documentations of implementation is not available, the entity must provide instances from equivalent previous time periods to complete the sample. If no documentation is available, the entity must provide a statement to that effect.
    7. Workforce members include entity employees, on-site contractors, students, and volunteers.
    8. Information systems include hardware, software, information, data, applications, communications, and people.
  5. Other Suggestions

    • Maintain copies of all business associate agreements, contracts, and HIPAA-related policies and procedures.
    • Carefully track where paper based or electronic PHI are stored including file cabinets, databases, servers, mobile devices, PC, laptops, etc.

Conclusion for HIPAA Compliance Audits

Unfortunately, and as recently as 2019, many healthcare organizations are still missing the mark on HIPAA compliance. As phoenixNAP Global IT Services observes, 2019 HIPAA audits were nothing to be proud of. A few interesting notes include:
  • Only 14% of the covered entities and businesses scored a 1, the highest rating, for content breach notification.
  • Only 1% of the covered entities and enterprises scored a 1 for right-of-access.
  • No covered entities and businesses scored a 1 for HIPAA security risk analysis.
Protecting PHI is important on many levels. When there is a breach of data, there is a loss of trust with your patients and the general public, who may not consider your services in the future. Being prepared during an audit will also ensure you do not receive large fines and other penalties.