Skip to main content

Worried about a potential HIPAA audit? You should be.

July 12, 2012

For years the health care industry has dealt with the daunting challenge of understanding and determining how to comply with privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. To complicate matters, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently released a nationwide audit program to uncover violations, raising the stakes for HIPAA compliance.

Still, some health care entities have been slow in preparing for a potential audit, which can be partially attributed to the the lack of details around what requirements will be assessed during an audit. However, with the OCR’s publication of its audit protocol, the entire health care industry has been given a wakeup call.

All HIPAA covered entities, including hospitals, payers, and clearinghouses should anticipate an audit. Furthermore, if history repeats itself, those that have previously reported breaches or experienced consumer complaints to HHS should expect to receive a higher audit priority. Although HHS specifically excluded business associates from the first round of audits, they will be included in future audit cycles, according to the new criteria.

Here are the top three reasons why preparing for an audit is more critical than ever:

  1. The audit pilot program suggests that little advanced warning will be provided and documents will need to be produced within days. However, if proof that a gap analysis was completed and remediations are already being enacted, the auditors will likely show leniency.
  2. While only 115 audits will take place in 2012, the OCR has strongly hinted at an increase in enforcement activities and penalties for violations. A clear incentive for these increases is that all penalty revenue goes directly to the OCR to finance future enforcement efforts. Also, OCR Senior Advisor David Mayer indicated during his presentation at the 2012 American Health Lawyers Association Annual meeting  in Chicago, Illinois that the audit program will continue through 2013 and 2014.
  3. There are financial penalties—one of the most obvious reason why meeting compliance guidelines is pertinent. Unlike Payment Card Industry (PCI) standards in which fines tend to start out small and increase slowly over time, initial HIPAA fines have been significantly larger and tend to stay that way. In just a few months, the OCR has issued millions of dollars in financial penalties as a result of non-compliance.

Of course, there are countless other reasons why all health care entities covered under HIPAA rules need to achieve compliance now including: protecting sensitive client data, public lashing, damage to brand reputation, and legal ramifications, among others. Preparing for an OCR audit is a significant undertaking, but conducting an independent and unbiased gap assessment can help covered entities understand their compliance gaps and plan activities that bring them into compliance. It’s critical for organizations to choose a security partner with services that can address the protocols from a cursory low-level review standpoint and offer an in-depth assessment of the mandate. Any gaps that auditors have identified should be prioritized and serve as the basis for implementing remediation actions to bring the entity into compliance with all mandates. Of course the strategy used should achieve compliance in the most efficient, cost-effective approach possible. Since this process is time sensitive, covered entities and business associates should allow as much time as possible between the independent assessment and any anticipated audit.


So act now—before it’s too late.

    Chris Gray

By: Chris Gray

Vice President, Enterprise Security and Risk

See More

Related Blogs

October 25, 2017

GDPR Part 1: A Legal, IT, or Information Security Issue?

The General Data Protection Regulation (GDPR) is a new regulation affecting organizations that reside in the European Union (EU) or merely transmit EU...

See Details

September 05, 2014 Breach: What Was Really Lost?

The reported breach of is just one of many breaches announced during the past few weeks. has sensitive information of mi...

See Details

August 29, 2014

Why Are Healthcare Breaches on the Rise? (Part 2)

In my last blog post, I discussed how the visibility of electronic healthcare records (EHR), and the lucrative financial gain attackers can realize by...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

June 01, 2012

2012 Healthcare Industry Security Trends

Many healthcare organizations are struggling with meaningful use. A key area of confusion is the risk assessment. Properly conducting a risk assessmen...

See Details

February 03, 2014

HIPAA Compliance

Technology is used today to exchange health information in an electronic environment. The use of this technology will greatly enhance the delivery of ...

See Details

June 11, 2010

To Do List: #1 - Align Your Business with HIPAA/HITECH

In February 2009, President Obama signed into law the American Recovery Reinvestment Act (ARRA), an economic stimulus package that included new Health...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.