To date, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), has conducted two rounds of audits.  The first round, which OCR called “Phase 1,” was conducted in 2013. The second round, which OCR called “Phase 2,” was conducted in 2016. Although OCR has yet to announce when the Phase 3 Audit begins, that HIPAA audit may focus on a number of compliance requirements that were emphasized in Phase 1 and Phase 2.

What is the HIPAA Audit History?

OCR began its Phase 1 HIPAA audit program in 2012. OCR developed a HIPAA audit plan, and a format for how to conduct a HIPAA audit. OCR audited only a small amount of covered entities and their business associates. The information obtained from this HIPAA audit essentially created a roadmap for how to conduct a future HIPAA audit.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

The Phase 2 HIPAA Audit was a full implementation of the HIPAA audit process. Initially, most covered entities and business associates were selected for a HIPAA audit based upon patient complaints, or self-reporting of HIPAA breaches. 

The Phase 2 audits then shifted to so-called “desk audits,” under which HIPAA audit notices  were sent to randomly selected healthcare providers and business associates. The audit notices asked the subjects to respond to whether they were compliant with specific HIPAA requirements. Seven areas of HIPAA compliance that were investigated include (among other areas):

• Whether a covered entity had a copy of its Notice of Privacy Practices posted in its facility, on its website, or whether the notice was given to patients.
• Whether the Notice of Privacy Practices contained the content required under the HIPAA Privacy Rule. 
• A covered entity’s compliance with patients’ rights to access their medical records.
• Whether a covered entity had policies on use and disclosure of protected health information (PHI) under the HIPAA Privacy Rule.
• Whether the subjects had policies and procedures for risk assessment and analysis.
• Whether the subjects had policies and procedures for risk management.
• The timeliness and content of data breach notification to individuals affected by the breach.

The results of the desk audits have yet to be released. OCR has announced that Phase 3 of the HIPAA audit program will consist of on-site audits. In an on-site audit, an auditor will visit the covered entity’s or business associate’s place of business, without prior notice of the visit, to view the organizations’ HIPAA policies and practices in action. 

What Topics Have Been of Actual Interest to OCR?

While the results of the desk audits have not yet been released, one can get a sense of enforcement and audit priorities by reviewing what entities OCR has actually investigated and fined, and why these entities have been fined. Entities have been investigated and fined for the following (among other reasons):

• Failure to notify patients of a missing paper operating room schedule.
• Leaving patient records in an unlocked area, without having written HIPAA policies or staff training in place.
• Failure by a covered entity to have a business associate agreement in place with its business associate contractor.
• Failure to provide patients with timely access to their medical records.
• Failure to have a HIPAA compliant Notice of Privacy Practices.
• Failure to terminate former employees’ login credentials.
• Failure to have policies and procedures for revoking a terminated employee’s access.
• Failure to implement policies and procedures to prevent, detect, and contain security violations.
• Theft of a laptop from an employee’s car, without having a written policy on hardware removal from a facility.
• Failure to perform technical or non-technical evaluations in response to environmental or operational changes.
• Failure to provide timely breach notification.
• Failure to thoroughly investigate a data breach.
• Failure to develop policies and procedures for HIPAA compliant social media use.
• Failure to manage identified risks to a reasonable and appropriate level (i.e., failure to conduct risk management).
• Failure to regularly review information system activity records. 
• Failure to restrict authorization of its workforce members’ access to ePHI to the minimum necessary to accomplish their job duties.
• Failure to utilize device and media controls.
• Failure to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so.
• Failing to implement access and audit controls on information systems and applications.
• Failure to implement technical assistance provided by OCR.
• Failure to provide a security awareness and training program. 
• Failure to implement HIPAA Security Rule policies and procedures.

The above list implicates each and every one of the seven areas that were investigated. The list is also notable for its comprehensiveness; fines were levied as a result of breaches of specific requirements of the Privacy Rule, the Security Rule, and the Breach Notification Rule.

Knowledge of what OCR has investigated in the past, combined with knowledge of how OCR intends to conduct future audits, puts covered entities and business associates in a better position to pass a potential future HIPAA audit.