3 Scary Facts About HIPAA Compliance Audits

  1. 3-scary-facts-about-hipaa-compliance-audits

Is your organization the subject of a HIPAA compliance audit? Without proper preparation, HIPAA compliance audits can be time consuming and downright scary. Read on for some scary facts about HIPAA compliance, what to expect during a HIPAA compliance audit, and what you can do to safeguard protected health information (PHI) and electronic protected health information (ePHI) to help ensure a successful audit.

Scary fact #1 – There is no “how-to” guide for passing a HIPAA compliance audit

While HIPAA compliance is enforced by the Health and Human Services’ Office of Civil Rights, it is one of the least prescriptive compliance regulations. The OCR offers little guidance on how to pass a HIPAA audit, leaving organizations to ascertain whether or not they are complying with HIPAA regulations.

HIPAA was also introduced in 1996; pre-dating the rise of the consumer Internet as well as the advent and evolution of mobile devices. The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed to address this gap and promote health information technology. However, healthcare organizations are still left wondering whether or not their activities are enabling them to achieve and maintain HIPAA compliance. Multiple changes to HIPAA privacy and security rules over the years have only added to the confusion.

Scary fact #2 – HIPAA compliance audits are time consuming

Under HIPAA, organizations can be randomly selected to be audited – regardless of whether a complaint has been issued, or a breach has occurred. Here’s what to expect if your organization is subject to a HIPAA compliance audit.

Upon receiving an audit notice, organizations are given 10 days to respond to initial document requests, which can include some or all of the following:

  • Privacy policies
  • Procedure manuals
  • Training manuals
  • Incident response plans
  • Risk analysis and mitigation plans

Additionally, every audit includes a site visit in which the “auditors will review key personnel and improve processes and operations to help determine compliance.” Depending on the size of your company and how well organized your materials are, expect to have 3 – 5 auditors roaming your hallways for 3 – 5 business days. So stock up on caffeine and gear up for some long days.

After the site visit, the auditors will produce a draft report of their findings. This can take 20-30 days to produce. The draft report generally describes how the audit was conducted, their findings and what actions the covered entity (CE) is taking in response to those findings. Once their draft report is complete, a covered entity has 10 business days to review it and provide written comments.

The auditor will complete a final report within 30 business days after receiving the CE’s written comments and submit it to the OCR.

Visit HHS’s website for more details on their HIPAA compliance audit process.

Scary fact #3 – Breaches of unsecured PHI must be reported to the OCR

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA CEs and their business associates (BAs) to provide notification following a breach of unsecured protected health information (PHI). Breaches of unsecured PHI affecting 500 or more individuals end up on the OCR’s “Wall of Shame.” Information on the Wall of Shame includes the name of the CE, the number of individuals affected by the breach, and the type and location of the breach.

6 ways organizations can safeguard healthcare data 

In light of major security breaches experienced by leading healthcare organizations such as Anthem, Blue Cross Blue Shield and Premera Group, there is a keen focus on how PHI and ePHI is being protected. Here’s what you can do to safeguard sensitive data and help pass your next HIPAA compliance audit.

  • Document your organization’s data management, security, training and notification plans.
  • Use a detailed password policy to control access. Consider a two-factor authentication process.
  • Encrypt all ePHI. While encryption isn’t required by HIPAA, it is strongly suggested and considered best practice to encrypt data in transit and at rest.
  • Strengthen your access controls with “split knowledge.” Don’t have the same person have access to both your database and your encryption keys. Make sure access is “split” among different people so that data remains protected, even if someone’s credentials are compromised.
  • Clarify the intent of “unrecoverable data.” Determine what data is recoverable, even after a record is deleted. Know what data can be brought back in its original form and what data can be “digitally shredded.”
  • Have a detailed, testable disaster recovery plan in plan. Test it often.

HOSTING Data Security for Healthcare™

As a leading compliant cloud hosting provider, HOSTING provides healthcare organizations and their business associates with the latest technology to help safeguard sensitive data and achieve compliance. Our latest offering, HOSTING Data Security for Healthcare ™ provides a comprehensive solution or protecting ePHI in any environment including private, public and hybrid clouds. Strong data controls that leverage both encryption and policy-based access controls are included. Key features of the HOSTING Data Security Solution include:

  • Systemic controls that prohibit unauthorized internal and external users from accessing sensitive data
  • Capabilities for encrypting data, controlling access, and creating granular security intelligence logs
  • Protection of databases, files and big data across an entire organization
  • Security intelligence logs that can accelerate the detection of advanced persistent threats (APTs) and insider threats

The HOSTING Data Security Solution is available in a multi-tenant environment, completely managed by the HOSTING team of compliance experts, or in a dedicated environment that can be solely managed by the customer or managed by HOSTING.

HIPAA compliance can be scary. HOSTING can help. View our latest on-demand webinar, Using Data Security to Address HIPAA and HITECH Regulations, to learn how data security can help you address HIPAA compliance. You can also contact the HOSTING certified information security and compliance team anytime for assistance in preparing for your next audit.


  1. The current HIPAA law has the medical care community so paranoid about giving any personal info for fear that they will fined $250,000 and have 5-10 years in prison, that they share NOTHING with even guardians, who have legal rights to health information of their family member who has mental health illness. The Tell Nothing policy hurts the mental patient because guardians sometimes cannot even find the location of their loved one, let alone be invited to participate in the health care of their afflicted family member.

Leave a Reply

Your email address will not be published. Required fields are marked *