HIPAA Audits 101

Protect your patients and your budget by preparing for a HIPAA audit.


HIPAA and the HITECH Act mandate security audits for performance and privacy in medical practices. The goals of these audits are to examine mechanisms for compliance with HIPAA, identify best practices, pinpoint where the risks and vulnerabilities are and encourage a renewed resolve to pay attention to compliance activities.

A little background...

In an effort to promote better coordination of patient care in the U.S., the federal government is encouraging medical practices to adopt Electronic Health Records (EHRs) through financial incentives. To bolster the protection of patient information within these systems, legislators passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. This law establishes requirements for notification of data breaches, new penalties, HIPAA compliance requirements for business associates and new authority for states' Attorneys General.

Any "Covered Entity" can be audited

HIPAA applies to any practice that falls under the definition of “covered entity.”  Under HIPAA,  “covered entity” means (1) a health plan; (2) a health care clearinghouse; or (3) a health care provider who transmits any health information on electronic form in connection with a transaction covered by HIPAA. This can include:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
  • Medical Groups
  • Hospitals

A renewed commitment to HIPAA compliance

Remember the goal of these audits is to make sure that U.S. healthcare organizations are making the security and privacy of PHI a priority. If anything were to happen to this information, patients may be in danger of having their data altered or lost. In the worst case scenario, they may fall victim to identity theft. That said, one very positive effect your practice should experience as a result of the audits is a refreshed commitment to HIPAA compliance. Later in this article, we’ll suggest a few ways to renew this commitment, and help you prepare for a potential audit.

The bottom line: potential fines

If your practice falls short on HIPAA compliance, you could be fined. Fines can range from $100 per violation when a person doesn't know he/she is violating HIPAA to $50,000 for a violation of willful neglect with no correction. The annual maximum penalty is $1.5 million.

The financial impact of the audits extends beyond fines and into Medicare and Medicaid EHR Incentive Programs. One of the meaningful use core objectives requires providers to perform an assessment of their HIPAA compliance. If a healthcare organization attests to being compliant with HIPAA regulations, and an audit reveals this to not be the case, it may be required to return government incentive money earned for meaningful use.

1. Stay on top of the law.

What are auditors looking for?

OCR's agency website has plenty of valuable information about what auditors will be looking for. HIPAA audits cover:

  • Privacy rule requirements. These touch upon notice of privacy practices for PHI, rights to request privacy protection for PHI, access of individuals to PHI, administrative requirements, uses and disclosure of PHI, and accounting of disclosures.
  • Security rule requirements for administrative, physical and technical safeguards. These include risk assessments and protocols for security incidents.
  • Requirements for the Breach Notification Rule

Legal requirements in the health care industry are constantly changing. HIPAA rules and regulations just changed again in January 2013.  Be sure you know how HIPAA rules have changed and the deadline for your practice to apply the new rules ("effective dates") for these changes. The U.S. Department of Health & Human Services (HHS) website on Health Information Privacy is a great place to look for information on HIPAA and to watch for HIPAA updates.

You may also need to update your agreements with outside business partners and vendors, including insurance companies, external hospital systems, labs and Internet service providers. HIPAA requires that health organizations get some form of assurance that their business partners will also make security and privacy of PHI a top priority. The best way to do this is through the required BAA. It also helps to make sure that these associates understand the HIPAA laws themselves, including changes to the BAA that come from the final omnibus rule.

2. Make HIPAA awareness a part of office culture.

Have a HIPAA Compliance plan in place.

This plan should serve as a guide to your practice and your practice's employees on HIPAA, what HIPAA requires, and how they should act to protect the practice from possible liability under HIPAA. This plan should also designate a "HIPAA Privacy Officer" and "HIPAA Security Officer" and explain what needs to happen in the case of a breach of privacy. A HIPAA Compliance plan can help in two ways: it can help prevent HIPAA violations before they even happen, and it can help the practice continue to function smoothly and efficiently if a HIPAA violation does happen. You can engage an attorney to help you draft a compliance plan for your practice.

Make sure your practice staff is trained on HIPAA Compliance.

Enforcement of security and privacy rules will only be as strong as the staff, so it is important that everyone in your organization regards these policies with the same level of seriousness. Periodic review of HIPAA law is a good idea, and we suggest annual staff training.

3. Conduct a risk analysis / mock audit

Make yourself audit ready

To conduct a risk analysis (or mock audit), consider the following:

Documentation and training

Be ready to show your policies and procedures, and explain to an auditor how you put them into action. Make sure your privacy and security officers clearly understand their roles, and keep a record of your staff's training attendance. Training certificates will come in handy in the event of an audit.

Devices and equipment

Any equipment that transmits or stores PHI needs to be cataloged, as required by HIPAA laws. David Kibbe, M.D., M.B.A., noted in Family Practice Management that this includes:

  • Hardware, such as computing devices in the front office and clinical areas, printers, fax machines, scanners, servers, personal digital assistants, firewall equipment and modems.
  • Software, such as operating systems, EHRs and programs that are used for billing, practice management, Internet browsing, email, firewalls and office productivity.
  • Network components, such as routers, hubs, phone lines, cable lines and wireless systems.

What about your gadgets?

Note that your staff members must be considerate about who has physical access to sensitive equipment - computers, data storage devices, fax machines and so on - and password management. For the latter, that means not sharing passwords and not misplacing written copies of passwords.

Internet security

Firewalls are fundamental to security, especially when Internet connectivity is so ubiquitous. Be sure to employ both hardware and software platforms. The Internet also brings the need for antivirus software. Whatever program you use needs to be updated on a regular basis.

Encrypting your data

Data encryption can be a thorny area in security because there are misconceptions about what needs to be encrypted. According to Kibbe, emails and other transmissions from a doctor's office do not need to be encrypted unless they actually include PHI.

Other bits of data that should be encrypted include, but are not limited to:

  • Billing information
  • Case management data
  • Lab and clinical data
  • Patient reports and transcripts
  • Emails between patients and doctors, and between referral doctors

Business Associate Agreement review

The final omnibus rule creates changes in Business Associate Agreements (BAA) that are relevant to issues such as responsibility for the costs of breach remediation. Medical practices should review the BAA they drafted with their business associates as a way to stay updated on changes brought about by the rule.

Keep in mind that a risk analysis to identify weak points in privacy and security is not meant to be done only once. It's wise to continually repeat the process so you're covered in the event of an audit, and more importantly – to ensure your patients' personal health information is in good hands.


Daniel B. Brown, Esq. - Daniel B. Brown is the Managing Shareholder of The Daniel Brown Law Group, LLC in Atlanta, Georgia.

Disclaimer: The video presentations on this webpage and this white paper are for educational purposes only. Nothing in the videos or this white paper is intended to constitute legal advice or to create an attorney client relationship with any person or entity.

Phone Icon