Federal HIPAA Audits – Results!

by Brian Tuttle, CHP, CHA, CPHIT, CBRA

Federal HIPAA AuditsFederal HIPAA Audits – As you may or may not know, as part of the 2009 HITECH act, the Health and Human Services (HHS) was mandated (and Federally funded) to conduct spot audits of covered entities to ensure HIPAA compliance. The HHS empowers the Office of Civil Rights (OCR) which are the ones actually doing the auditing. Well, they have begun and the initial results are in.


Sadly, as expected the results showed smaller covered entities (defined as less than $50 million in revenue) had a much worse time with compliance. This seems to be directly related to the budget size of smaller practices.   Healthcare providers in general fared worse than plans or clearinghouses.   According to OCR, 81% of the problems were related to Healthcare providers.


These initial audits were covering both the HIPAA Security Rule and the older HIPAA Privacy Rule, but the HIPAA Security Rule was by far the largest area of need making up 65% of the findings. The Privacy rule was second with 26% and the Breach Notification Rule with 9%.


Just for reference, the HIPAA Security Rule deals primarily with electronic protected health information whereas the HIPAA Privacy Rule deals with protected health information in all forms.


In this author’s opinion, the primary problem with the HIPAA Security Rule is it tells a covered entity “what to do” but doesn’t tell the covered entity “how to do it”. This is due to the fact that so much of the Security Rule requires a strong understanding of technical knowledge AND how to apply that technical knowledge to the specific legislation.


For reference here are the areas that the OCR found the most security issues, and perhaps levied the most fines for:

  • Lack of Contingency Planning (Disaster Recovery)
  • No user activity monitoring in place
  • Authentication/Data Integrity policies
  • Media Reuse and Destruction policies
  • Lack of Risk Assessments
  • No policies for granting and modifying user access
  • No written policies in place at all

So what can you do to protect your practice?

First, you need to educate yourself on what the HIPAA Security Rule entails via training or self help.   Second, you need to identify areas for improvement by conducting a thorough Risk Assessment of your practices compliance levels. A properly done Risk Assessment will (or should) uncover many of the warts and blemishes your practice may have concerning HIPAA Security. Third, you need to be sure to have appropriate written policies and procedures in place, which is also a requirement of the HIPAA Security Rule.


In conclusion, the days of HIPAA being just an annoying word with no teeth to back it up are over, the government is acting on this now and have the funding to do so. None of this is rocket science and it all makes perfect sense once you take the initiative to get it done.   Make no mistake you will at some point have to deal with these issues one way or another, do it on your terms before being fined.

If you are not sure if you are HIPAA compliant, take our Self HIPAA Assessment

For more information, please email info@tier3md.com


Brian Tuttle has written numerous articles on HIPAA Rules and HIPAA Compliance for your practice.