Healthcare in the Age of Data
Preparing for a HIPAA Compliance Audit from the HHS

During a HIPAA audit, government officials will make a formal review of all your data security documentation and the measures your medical business takes to fulfill its HIPAA New browser window icon. and HITECH New browser window icon. obligations.

There are two types of HIPAA audits:

  • Offsite "desk" audits — smaller, targeted audits that ensure your business complies with certain areas of HIPAA privacy laws.
  • On-site audit — full-scale audits in which investigators visit your office and look at all areas of your data privacy and HIPAA compliance.

Why do you have to be prepared for a HIPAA audit? According to Lexology New browser window icon., the Department of Health and Human Services made its first HIPAA audits as part of a pilot program in 2012. Unfortunately, during this test run, investigators found a surprising number of HIPAA violations and especially-weak data security and encryption. Since then, they decided to increase the number of audits.

What Is a HIPAA Audit?

What Is a HIPAA Audit?

During a HIPAA audit, investigators from the Office of Civil Rights (OCR) will visit your office or contact you to verify HIPAA compliancy. More specifically, OCR investigations will look at three areas of HIPAA / HITECH compliance, checking to see that you've fulfilled your legal requirements for…

  1. Privacy. Procedures to guarantee PHI privacy, allow patients access to their data, and document any disclosures to business associates.
  2. Security. IT and physical safeguards to prevent unauthorized access to data.
  3. Breach notification. Procedures for contacting patients whose data has been breached and informing HHS and the media (for breaches involving 500 or more records).

Before you're audited, a survey is typically sent by the OCR asking for information about your data security practices. From the pool of surveyed healthcare companies, the OCR will select companies to audit. These surveys are time-sensitive. You may only have a few weeks to fill out and return them to the OCR.

What You Need to Do to Be Prepared for a HIPAA Audit

What You Need to Do to Be Prepared for a HIPAA Audit

If your small medical practice is audited, one of the first things investigators will want to see is your risk analysis (you can use HealthIT.gov's Risk Analysis tool New browser window icon.).

HIPAA requires that you perform a comprehensive risk analysis, which is basically an audit you do on your own business. A risk analysis requires you to…

  • Look at all areas of your IT.
  • Identify the weak areas.
  • Fix any security flaws.

A risk analysis also requires that you examine how well your business's procedures (e.g., data entry, data access for patients, theft prevention, employee education, data backup, etc.) fulfill HIPAA obligations and prevent errors and loss.

When you're audited, you'll have to submit an up-to-date risk assessment. For this reason, it's best to perform a risk analysis once a year.

What Can Small Medical Practices Do to Prevent HIPAA Violations?

What Can Small Medical Practices Do to Prevent HIPAA Violations?

As a small medical practice, your business doesn't have the resources of a major hospital or insurance provider. That means you'll have to be smarter with your investments. When you hire an IT consultant, look for someone who knows HIPAA compliance requirements.

Do your best to buy software and technology that will meet HIPAA standards. The last thing you want to do is invest in technology that won't be up-to-code.

To learn more about HIPAA's technical requirements, see " Making Sure Your Practice Is Compliant with HIPAA Security Standards."

Customer Rating 4.9 out of 5
Read Customer Reviews

Grab-n-Go Information

Free eBook
HIPAA, Social Media, and Technology: A Guide for Mental Health Professionals
Browse eBook
Sample certificates
See a sample Certificate of Liability Insurance, the proof of coverage you need for most contracts.
View Sample
Sample Quotes & Cost Estimates
See what insurance really costs: actual quotes by policy & specialty.
Get Estimates
Ask A Question
Submit your questions about small business insurance and get answers from our experts.
Read Answers