HIPAA Audit – 5 Tactical Observations to be Prepared

HIPAA Audit Risk Meter

Is your organization prepared for a HIPAA audit? Although random audits from the Health and Human Services Department’s Office for Civil Rights (OCR) are rare, several factors can trigger an audit. A couple of examples of this are noncompliance stemming from patient complaints and privacy breaches. Both of these can result in an OCR audit, and could easily lead to bad public relations and heavy fines.

In this Article …


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires healthcare organizations to protect patient data and sensitive information, with a strong emphasis on electronic Protected Health Information (ePHI) security. Are you fully compliant with HIPAA regulations? Let’s take a look at an overview of the HIPAA compliance auditing process and the steps you should take to protect your healthcare organization from unnecessary risk.


#1: Who can be audited?

Anyone who is required to follow HIPAA regulations can be audited by the OCR. This includes covered entities like healthcare providers, health plans, and healthcare clearinghouses, as well as business associates who handle PHI and ePHI on behalf of these entities. These organizations must meet the requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.


#2: What can trigger a HIPAA audit?

Although random HIPAA audits are rare, they do happen. Some common audit triggers are:

  • Complaints from patients or employees. Patients can complain for various reasons: Perhaps they found out their information was shared on social media, or they were denied access to their records. Employee complaints are slightly different from patient complaints as they may fall under the whistleblower provision of the HIPAA Privacy Rule.
  • Prior breaches. If an organization has reported a data breach affecting 500 patients or more, it may have caught the attention of the OCR and may be more likely to be audited in the future.
  • Business associates’ (BA) errors. Breaches caused by your Business Associates can create cause for an investigation into your healthcare organization.
  • Security breaches. Getting hacked by cybercriminals, using unencrypted devices, and suffering lost or stolen devices can all lead to the exploitation of patient records, which could trigger a HIPAA audit from the OCR.
  • Previous OCR visits. The more times a covered entity or business associate has been involved in a breach, the higher the chance the OCR will be on the lookout for further HIPAA violations. Repeat violations for willful neglect of HIPAA rules can result in a maximum fine of $100,000 per violation.

The OCR states that these random audits are for informational purposes only. However, if a breach is found during a random audit, the OCR will follow up with a HIPAA compliance review.


#3: How to prepare for a HIPAA audit

Preparing for an audit by the OCR may sound burdensome; however, it leads to ensuring your organization is compliant with HIPAA. What You Don’t Know Can Cost You. HIPAA compliance means not having to pay hefty fines.

To prepare for a HIPAA audit, an organization must ensure its HIPAA compliance program is up to date and that it has taken the necessary steps to comply with all related HIPAA regulations:

  • Appoint a compliance officer. This can be an existing employee, a new hire, or a third-party consultant. Outsourcing Healthcare Compliance may be a cost-effective time saver where you get the full benefit of an expert’s knowledge and objectivity.
  • Document. The key to proper documentation is to be well organized, keep your information in one place, and make sure it is readily accessed. Document all your policies, procedures, business associate agreements, employee training, risk assessments, and security incidents.
  • Continue to update HIPAA procedures. Remember, HIPAA compliance is an ongoing process. It’s not a one-time plan, but something that needs to be reviewed, updated, and analyzed often. This is another reason it may be beneficial to outsource the role of the compliance officer. Keeping up with the latest requirements is generally a full-time job and can take up much of an employee’s time.


#4: Self-audits

Conducting self-audits, a crucial component of a HIPAA compliance program, whether carried out internally or via a third party, plays a significant role in achieving adherence to HIPAA regulations.

A comprehensive self-audit should include the following steps:

  • Perform risk assessments on electronic protected health information (ePHI). Make sure all messaging apps, telehealth platforms, and other communication methods are secure and encrypted.
  • Review business associate agreements. Keep records of the contracts and review them periodically.
  • Review employee training procedures. Training programs need to be updated when requirements change. For example, with the current pandemic, many employees may be working from home. Protocols for keeping information secure when using home devices and Wi-Fi systems may need to be reviewed.
  • Review your documentation policies and procedures. Auditors can request many documents. Keeping these in order will go a long way toward helping your case should you be audited. It helps to have solid proof that you have done everything in your control to be compliant.
  • Complete a HIPAA Risk Assessment using this free checklist!


#5: A HIPAA audit is ongoing

HIPAA compliance is mandatory, and an audit can be triggered at any time, for many reasons. If a complaint is filed against you, will you be prepared to prove your HIPAA compliance status? The best preparation for a HIPAA audit is to prepare before it happens. Implement HIPAA compliance best practices in your organization now to avoid unfortunate public relations occurrences and costly penalties in the future.



When you need proven expertise and performance