Before we dive into HIPAA audit requirements however, first you need to understand HIPAA audit protocol and what to expect from HHS OCR in the event of a HIPAA audit.
Am I at Risk of a HIPAA Audit?
HIPAA regulation identifies two different types of entities that must be compliant. Covered entities (CE) include physicians, insurance providers, and health care clearinghouses. Business associates (BA) are vendors hired to handle PHI–common examples of which include IT providers, storage providers, faxing and shredding companies, medical billing firms, practice management firms, and many more.
So regardless of whether your organization is considered a covered entity or a business associate, you are at risk of HIPAA violations and investigations. Both CEs and BAs are subject to HIPAA enforcement, meaning that most organizations working in health care need to be aware of HIPAA audit protocols.
What Triggers a HIPAA Audit?
HIPAA audits from HHS OCR are triggered by a HIPAA violation that is reported by you, a staff member, a patient, or an internal whistleblower. HIPAA investigations will always be triggered by a reported violation or potential violation.
HIPAA regulatory enforcement is managed and overseen by OCR. When OCR receives a complaint, your organization may receive a notice announcing the start of a HIPAA audit, and the protocols that OCR will pursue.
Common HIPAA Violations That Can Cause HIPAA Audits
Often, a HIPAA audit will be caused by a PHI breach. PHI breaches can be caused by a number of factors, including:
- Ransomware incident
- Malware incident
- Lost or stolen laptops, smart phones, or tablets that can access to PHI
- Inappropriate disposal of paper PHI (ie – throwing patient records into a dumpster, rather than using a shredding service and locked trash bins)
- Office burglary
Other times, HIPAA audits can be caused by illegal access to PHI by unauthorized individuals, or illegal disclosure of PHI to unauthorized individuals.
HIPAA violations in regards to improper access can include:
- Employees viewing patient records outside the scope of their job role, function, or tasks
- Employees accessing PHI on a device that can be viewed publicly (ie – in a waiting room or on a computer that can be openly viewed by other patients)
HIPAA violations in regards to unauthorized disclosures can include:
- Providing a patient’s PHI to a family member without their express authorization
- Providing a patient’s PHI to local media without express authorization
- Using a patient’s PHI for research purposes without express authorization
It’s important to remember that any of the above mentioned HIPAA violations–and many others that aren’t listed on this page–can be reported to HHS and ultimately trigger a HIPAA investigation and HIPAA audit. HIPAA audit protocol will generally be the same for any different kind of HIPAA violation that leads to a HIPAA investigation. We’ll investigate those general HIPAA audit protocols below.
HIPAA Audit Protocols
OCR will reach out to organizations via certified mail. Additionally, you will likely receive an email from OCR as well. Be aware that fraudulent HIPAA investigation notices have been sent out to health care organizations in the past. These fraudulent letters are part of a scheme designed to trick health care organizations into providing confidential information to the instigators. You can read more about that here.
The important thing to remember is that OCR will reach out in a certified letter. That letter will contain all the details of the potential investigation, along with requests for information, and a timeline or set of dates by which next steps must be taken.
In the event that your organization has been contacted by OCR for a HIPAA investigation, there are two kinds of HIPAA audits that OCR officials may instigate.
The first is called a HIPAA desk audit. When you are chosen for a HIPAA desk audit, federal investigators will request documentation from your organization relating to the nature of the HIPAA violation. OCR investigators may request documentation pertaining to any part of your organization’s HIPAA compliance program, including but not limited to:
- Employee training records with documented attestation
- Demonstration that you have audited the status of your organization’s compliance
- Remediation plans executed to address any gaps in your organization’s compliance, dated and signed
- Policies and procedures
- Vendor management and business associate agreements, along with documentation of due diligence
- Disaster recovery plan
- Tracking of any incidents or HIPAA violations that have occurred within the organization
The other HIPAA audit you may expect is called an onsite HIPAA audit. This is exactly what it sounds like–federal investigators from OCR will come onsite to your organization to conduct an investigation of your physical premises. Often, onsite HIPAA audits will require a document request and review component as well. The documentation that OCR investigators will request may include any of the items listed above (or any other component of an effective HIPAA compliance program outlined in HIPAA regulation).
Read more about HHS’ HIPAA audit protocols on their site here.
How to Respond to a HIPAA Audit
If your organization receives a notice from HHS OCR about an upcoming HIPAA desk audit or onsite HIPAA audit, don’t panic! Here are a few steps that your organization can take to prepare:
- Take inventory of your existing compliance documentation for easy access should investigators request it.
- Identify your Compliance Officer if you have not done so already–this person will serve as the point of contact between you and OCR investigators. If your organization is larger, consider creating a team or task force involving employees from appropriate departments (such as IT, quality, administration, compliance, etc.).
- Begin an internal investigation into the violation if you haven’t done so already.
- If the violation has been caused by a data breach, find out the cause, scope, and potential victims of the data breach–gather as much information as possible. If police reports have been filed, be sure to have that information on hand as well.
- Assess your current HIPAA compliance program and gather evidence of your “good faith effort” toward HIPAA compliance–this includes any efforts you have taken toward HIPAA compliance in the past including security risk assessments, employee training, policies and procedures, business associate agreements, and anything else your organization may have done.
(Please note, this content does not constitute legal advice–if OCR has contacted your organization in regards to a HIPAA investigation, you should seek legal advice from an attorney or HIPAA compliance solution provider.)
Where to Go From Here
If you’re currently in the middle of a HIPAA audit, requirements for what to do next can seem a little overwhelming. This is a big event in the life of your business, but organizations like yours have gotten through worse. Keep in mind some of the HIPAA audit protocols and HIPAA audit requirements we’ve discussed above. These may help prepare you and your business for a HIPAA audit and the potential fines associated with an OCR investigation.
Looking for a better way to handle HIPAA without the stress?
Take our free HIPAA quiz now to find out where your practice stands!
Our HIPAA experts are always here to help.