HIPAA Audits: A Five Step Survival Guide for Healthcare Providers

Oct 08, 2020 at 06:38 pm by pj




If you ask any health IT security professional today about what keeps them up at night, a full-scale data breach is probably at the top of the list. With regulatory fines in the millions and data breach notification/mitigation costs at even higher amounts, data breaches represent one of the greatest financial risks that healthcare providers contend with today. And in light of the new HIPAA Omnibus Rules, health IT vendors now face some of the same challenges as healthcare providers

Before the introduction of the most recent Omnibus Rules, providers used to get away with a lot. The old HIPAA rules were ex post, meaning a healthcare organization only got in trouble if something went wrong and was caught red handed. Now, Congress has added an ex ante enforcement mechanism as a side provision in HITECH which allows HHS’ Office for Civil Rights (OCR) to run periodic, randomized audits to determine an entity’s compliance with HIPAA.

OCR has given healthcare providers an indication of what the most important compliance areas are, in addition to guidance on how to adequately prepare for the possibility of receiving an audit. Listed below are five crucial steps any provider to be proactive.


Step One: Get Organized


The first thing any compliance or security professional should do is organize all HIPAA documentation on hand. This includes all policies and procedures, in addition to all PHI disclosure logs and security incident documentation.

It seemed that many providers had the correct documentation in order, but many policies were found to be incomplete or very out of date. An incident response plan is not effective if it is 10 years out of date and having and outdated plan is just as bad as not having one at all.


Step Two: Perform a Security Risk Assessment


In a recent Compliancy Group Webinar, over 80 percent of providers reported that their organization had not performed a security risk assessment within the past three months. Not performing the mandated Security Rule risk assessment was one of the biggest HIPAA compliance points of failure in the OCR pilot audit program. In fact, the OCR has referenced that these risk assessments are one of the most important pieces of a HIPAA compliance program. Currently, any provider organization that fails to document annual security risk assessments will be strictly scrutinized.

So, what does an organization need to include in its assessment? At the most basic level, organizations must assess its potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic Protective health Information.


Step Three: Implement Risk Mitigation


It is the actual process of following up on the gap analysis with a documented plan that truly signifies Security Rule compliance.  A certain of Security Rule domains were singled out as areas which Covered Entities faced the greatest difficulty proving compliance. Below are a few of the lack of compliance:

  • Contingency planning & backups (18 percent of audited entities implicated)
  • Media movement & destruction (14 percent of audited entities implicated)
  • Audit controls & monitoring (14 percent of audited entities implicated)
  • Access management (14 percent of audited entities implicated)
  • Risk analysis (12 percent of audited entities implicated)

Document and come up with a clear plan to resolve.


Step Four: Review Business Associate Agreements

A Covered Entity must be able to show that it has entered into such agreement with all of its Business Associates in order to survive an audit. As the Omnibus Rule also made clear, Business Associates have an obligation to enter into BAAs with their subcontractors that handle PHI. As the HIPAA audits are expected to roll out to cover Business Associates, these entities must also make sure they are laying the proper framework to survive an audit.


Step Five: Include Training

While it is not necessarily required by either HIPAA or the audits, a smart training program will also include a more detailed security awareness training specific to the organization. Such extra training not only broadens a workforce’s knowledge in an increasingly important risk area, but also helps gather information that might not have been accessed otherwise. Organizations that employ this tactic frequently get workforce members to follow up with questions or initiate side conversations notifying the organization of a security concern that may only be visible at that employee’s level.

The audits represent an opportunity for compliance and security professionals to ensure that they have the ear of their organization’s decision makers when constructing plans to keep patient data safe. Individuals that follow the appropriate preparation steps and work with their management teams to make sure their concerns are given top priority will place their organizations in a great position to survive an OCR audit.


 Jeff Ramos is President of Elevate Medical Resources and Leam Degnan is an associate with Compliance Group. Email Jeff@elevatemedicalresources.com