The Dreaded HIPAA Audit

According to the Department of Health & Human Services, 70% of health care businesses are NOT HIPAA Compliant, while 79% of HIPAA Audits result in failure! The Average HIPAA Violation Fine Total comes out to $1.5 Million Dollars!

What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, was passed by Congress in 1996; HIPAA exists today to protect patients and their confidential information.


Improvements over Time

These days, we use technology on a daily basis; it has made an impact on our personal lives, but also how companies are able to conduct business. From insurance agencies, and steel manufacturers, to financial associations and medical practices,  technology has brought a double edged sword that has presented not only new opportunities but also new and different obstacles.

When HIPAA was first put in place, a patient’s Patient Health Information was stored in a chart with a medical record- all data was on paper. There was no worry or care in the world at that time about a hacker sneaking into the unauthorized network and stealing data. Times have changed and so have the records with the technological advances of going paperless; it is more common to see electronic protected health information (ePHI) than it is to see paper records now.


Compliance is NOT Negotiable…

HIPAA compliance is required by law and it is certainly NOT optional; it’s arguably more important than ever before to have your HIPAA compliance for your business in order. With the Healthcare Industry being attacked constantly by hackers and cybercriminals, also take into consideration human error accounting for most data breaches, the ease in filing a complaint against an organization, and more, your compliance could come under review at any given time – and you must be ready with HIPAA Paperwork in hand, or be ready to pay thousands for a violation fine!


If you belong to the category of “covered entities” or “business associates,” and you handle “protected health information (PHI),” you and your business are required to be HIPAA-compliant. This includes:

  • Physicians
  • Surgeons
  • Dentists
  • Podiatrists
  • Laboratory technicians
  • Optometrists
  • Hospitals
  • Clinics
  • Nursing Homes
  • Home Health Care
  • Medical Billing
  • Pharmacies


What Sets an Audit in Motion?

The Office for Civil Rights, is the department responsible for enforcing HIPAA compliance. The audits by OCR  can happen at any random time when the department decides to “surprise” businesses to check on their compliance.

  • Patient Complaints- Patients could file complaints for any number of reasons. Maybe a patient mistreated by certain staff, maybe they were denied access to their medical records, or perhaps they saw a picture on social media with their medical record on a computer screen in the background.
  • Employee Complaints-Often times, unhappy employees may file a complaint following termination of employment, but that’s not always the case. If an employee feels there has been wrongdoing, they could certainly file a complaint.
  • Employee Mistakes- human error accounts for many audits. An employee falling victim to cyber hacking via a phishing email, using weak passwords, and sending a patient the incorrect records are all examples of human errors. Accidents do happen!
  • Insider Wrongdoing- Sometimes employees violate company policies on purpose, and other times they may just be curious. Employees could steal patient records to use for personal gain or could take a peek at a patient’s records because they’re curious about their visit.
  • Third-party Mistakes- Mistakes caused by a Business Associate (BA) could also lead to an investigation of your organization. If your (BA) suffers from a data breach, you may be audited as well.
  • Security Incident- Common security incidents include lost or stolen devices, such as laptops and smartphones, especially those that are unencrypted,  as well as unpatched software that led to malware or ransomware attacks.



When a Covered Entity or Business Associate suffers a security incident, it needs to be reported, and once that happens, questions may start arising. Why didn’t you have a password on your Wi-Fi? Why was your server unlocked and underneath your reception desk? Aren’t your employees trained on how to spot a phishing email? Didn’t you have a policy in place for what’s permitted use of a workstation? Why didn’t you have a Business Associate Agreement with your transcription service?

These are just a few questions that could be posed by an auditor – but that’s just a scratch on the surface of what they will ask of you.



What is placed under the Magnifying Glass during an audit?

  • Security Risk Assessment – A critical part of your compliance; the Security Risk Assessment will look for gaps in your company’s administrative, physical and technical safeguards that could pose a risk for protected health information (PHI).
  • Remediation & Risk Management Plan – you’ll need to have a process in place to begin addressing the areas in which your business lacks. This plan should cover how you plan to remediate all the security gaps discovered thus far.
  • Policies & Procedures – Your company needs to have policies and procedures in place, but you also must ensure that employees understand those policies and have signed off on them. Employees can’t be expected to follow the rules if they are unaware of them, and the documented proof that they acknowledged the policies is vital in the event of a security incident.
  • HIPAA Officer – Every organization needs to have an appointed Security Officer. This individual is responsible for ensuring policies and procedures are created, understood by all employees of the organization, and acknowledged by them with documented proof. The Security Officer should also ensure employees are trained on HIPAA routinely.
  • HIPAA Training – Not only is HIPAA training a requirement, but it is also necessary to reduce the chances of an employee-error. HIPAA and cybersecurity awareness training should be conducted so that employees are kept up to date and systems are kept up to par to avoid the latest threats, and to keep cyber security best practices at the front of the line.
  • Business Associate Agreement – You MUST  have a Business Associate Agreement (BAA) with any and all vendors that handle your patient data. A data breach caused by a Business Associate will also affect your company, so make sure you are working with vendors who take HIPAA compliance seriously.
  • Proof of Network Vulnerability scans, penetration tests, and breach notification (in the event of a breach) are also common requests by the OCR.



If your medical practice still relies on the use of paper records, don’t make the mistake of automatically assuming you’re exempt from HIPAA regulations. If and when you submit claims in hard copies to a billing company and that company transmits those records electronically to payers, HIPAA rulings apply to you as well.



Decisions, Decisions…

An audit could be triggered at any time; if you had a complaint filed against you tomorrow, would you be confident in your compliance? If the answer is No, it’s best to work toward HIPAA Compliance as soon as possible– before it’s too late!




We are experienced in IT Support, Services, and Solutions for medical offices and facilities. Working with a HIPAA oriented Managed Service Provider for your practice is critical to the security of Patient Health Information and avoidance of HIPAA violations against your practice. GCS delivers remediation for mandatory protective measures to ensure you and your business are fully HIPAA compliant. We Manage Your Technology, so you can Manage your Business!