HIPAA Audits Have Begun

& Will Your Business Associates Cause You to Fail?










The Office for Civil Rights (OCR) announced today that the new permanent audit program has started.

On July 11 letters were sent BY E-MAIL (check your junk mail folders!) to 167 health plans, health care providers, and health care clearing houses (all HIPAA Covered Entities notifying them that they have to send in documentation for a ‘desk audit.’ They will have 10 days to send in the required materials for review.

Of the 176 potential audit items the first covered entities will have to provide documentation proving their compliance with the following 7 HIPAA sections:

Requirements Selected for Desk Audit Review

Privacy Rule Notice of Privacy Practices & Content Requirements   [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3),  (c)(4), (d)(1), (d)(3)]
Breach Notification Rule Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule Security Management Process --  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process -- Risk Management  [§164.308(a)(1)(ii)(B)]


It’s not surprising that the audits are looking for compliance across all of HIPAA’s rules.


Considering the fact that the federal government believes privacy and confidentiality are basic CIVIL RIGHTS, the focus on the Notice of Privacy Practices (NPP) and how you handle medical records requests is expected.

Many practices are still using old NPP’s and following outdated processes that were changed in the 2013 HIPAA Omnibus Final Rule. Many practices still do not have their NPP prominently displayed on their website.

The fastest way to fix this is to adopt the free Model Notice of Privacy Practices available here.


Many practices claim they have never had a breach, which in my experience is impossible, because we always hear stories about a patient being handed another patient’s record; someone mailing a bill to the wrong person; or lab results getting mixed up.

Even the breach of one patient’s information requires that they be notified, within time limits, and a report be sent to the Office for Civil Rights.

The audits are looking for evidence of compliance, or preparation, showing that you have documented a process to notify patients and have a notification document prepared.


Least surprising of the audit items is the Risk Analysis and Risk Management Process.

After 11 years I am still amazed that medical practices don’t take the Risk Analysis seriously. Many think they don’t have to do one or they can do it themselves using checklists and online tools. Some had one done years ago and it sits on a shelf. Some keep up with regular reports but never fix the problems.

Worse, the evidence we develop shows that many practices that believe they are secure and compliant are not, because their IT staff or provider is not ensuring that security tools are all working.


Even if you think you are prepared, are your Business Associates?

The OCR announcement said that “Desk audits of business associates will follow this fall.” If you are audited then your Business Associates may also be audited.

That’s really scary, considering how few Business Associates have any idea what to do.

If you don’t think this is serious just look at some recent fines related to Business Associates.

  1. A medical practice paid $ 750,000 for sharing patient information with a vendor without having a Business Associate Agreement in place.
  1. A hospital paid $ 1.55 million for sharing patient information with a vendor without having a Business Associate Agreement in place, after the vendor breached patient records.
  1. And, for the first time, a Business Associate paid an OCR penalty - $ 650,000 for breaching just 412 patient records when it lost an iPhone.

If you are our client you should be prepared for the audit. If you get a letter, contact us so we can help you prepare your response.

If you aren’t our client, and are not absolutely sure you could pass an audit, contact us at hipaa@semelconsulting.com.