Imagine Your Life if you Fail a HIPAA Audit

Prepare Now Because of Short Response Times

Woman Head in Hands

Imagine your life if your organization fails a federal HIPAA audit. Last week those of us attending the HIPAA Security conference in Washington heard clear warnings from the leaders of the Office for Civil Rights (OCR) that should make everyone who has to comply with HIPAA take notice.

Audits Coming Very Soon

  1. While audits have been discussed for a long time, they are imminent and 1,200 letters will be going out shortly. 1,200 out of the entire health care industry means the odds of you getting a letter are low. But if you do, the impact can be very high.
  1. If you receive a letter you will have only 10 – 14 days to provide the requested documentation. That isn’t enough time to overcome years of HIPAA neglect.
  1. A contractor has been hired to conduct the audits, and the OCR has been actively hiring attorneys. They aren’t there to help you.
  1. The audits will likely focus on areas that were identified as common weaknesses in the 2012 test audits – no security risk analysis, not addressing risks, unencrypted data, and lack of effective policies and procedures.
  1. Small practices will be targeted. In 2012, many smaller practices were found to be lacking in their compliance efforts. The new audits are likely to be skewed towards small medical practices, not large health systems.
  1. Are you confident your Business Associates won’t cause you to fail the audit? When a Covered Entity gets audited the OCR will now examine their Business Associates. In our experience Business Associates are often clueless about their HIPAA responsibilities, beyond signing Business Associate Agreements. Have your Business Associates complied based on the 2013 HIPAA changes?
  1. Patients’ rights to their records, especially the new requirements for electronic records, are not being followed by many HIPAA Covered Entities. This is a Hot Button with the OCR which is charged with protecting the rights of patients.
  1. Haven’t had a HIPAA incident? Most likely you have, and either don’t recognize them or aren’t giving them serious consideration. Data breach notification requirements have changed since 2009, and OCR wants to know if you have a clear policy and practice in place for notifications.


Encryption was probably mentioned more than 50 times. No kidding.

At the conference, Jocelyn Samuels, the Director of the OCR, announced a $ 750,000 settlement with a small cancer practice that had a bag that contained an unencrypted laptop and unencrypted backup media stolen from an employee’s car.

Deven McGraw, the new Deputy Director of the OCR for Patient Privacy, said, “The bigger problem with breaches involving lost and stolen unencrypted devices is that they are often a tip off for OCR that an organization has other more serious HIPAA compliance issues – particularly the failure to conduct a risk analysis that’s followed up by actually mitigating identified risks.” This is more than a subtle hint.

Other speakers stressed that encryption not only protects patient data, but it protects the Covered Entity against having to report a lost or stolen device. Encryption is much less expensive than HIPAA penalties. Check out this article HIPAA Enforcer Losing Patience on Encryption for more details.

So What Can You Do? PREPARE NOW.

  1. Quickly obtain a thorough and accurate Security Risk Analysis, not a ‘checklist overview’ that will miss critical issues.

Should you do your own? The US Dept. of Health & Human Services says, “…doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

This is coming from the agency that does compliance reviews and has failed many practices that have done their own risk analyses. As the famed oil well firefighter Red Adair said, “If you think it’s expensive to hire a professional to do the job, wait until you hire an amateur.

  1. Fix the problems identified in the Security Risk Analysis. HIPAA requires Risk Management for both security and compliance. Years of neglect may be expensive to correct. Encryption is an obvious starting point.
  1. Have an expert review your Notice of Privacy Practices and your Business Associate Agreements to make sure they are current and properly implemented. And your Data Breach Notification policies and procedures.
  1. Contact Semel Consulting. We’ll do a risk analysis, help you fix your risks, implement effective policies and procedures, and help you with any HIPAA questions or incidents. We have helped many organizations including small medical practices, large clinics, surgery centers, hospitals, nursing home chains, home health care, health plans, and many Business Associates.
  1. Be on the lookout for the audit letter. It won’t be good if someone who opens your mail misses the letter and you miss the deadline. Especially when you have made the efforts to comply.

Businesswoman Cheering

Now imagine your life when you pass a federal HIPAA audit.