Audits and Evidence of Compliance- Will Your Organization Be Audited?

Posted by Gerry Blass

Journal of Healthcare Information Management – (JHIM) – Summer 2014

Used by permission from HIMSS.

Download the JHIM PDF version of this article

Despite the many changes in HIPAA (Health Insurance Portability and Accountability Act) leadership at the Office for Civil Rights (OCR, U.S. Department of Health and Human Services), the need to meet HIPAA compliance will not change, in fact, the industry has been promised that complaints, audits, and breach investigations will continue. So there is certainly a risk that your organization (if you are a covered entity [CE] or business associate [BA]) will be audited.

OCR continues to publish information about its audit program and what to expect in 2014-2015. The evaluation of the first two years of audits (Phase 1) has been completed, and OCR is now ready for the next phase. They are in the process of increasing regional staff recently evidenced by the fact that in spring 2014, they advertised for additional staff for several regional offices.

History and Statistics

OCR’s Overall Cause Analysis for Phase 1 is as follows1:

  • For every finding and observation cited in the audit reports, OCR has identified a “cause.”
  • Most common cause (30 percent) across all entities was “entity unaware of the requirement.”
  • Most of these related to elements of the rules that explicitly state what a CE must do to comply.
  • Other causes include:

o   Lack of application of sufficient resources

o   Incomplete implementation

o   Complete disregard

In Phase 2 audits, OCR can select any CE along with a number of BAs that will be audited through the CEs. Selected CEs will receive notification and data requests in fall 2014. OCR will begin to select BAs for review in 2015. In 2014, the plan is to audit as follows:

  • Privacy: 33 health plans, 67 providers.
  • Security: 45 health plans, 100 providers, and 5 clearinghouses.
  • Breach Notification: 31 health plans, 65 providers, and 4 clearinghouses.

In 2015, the plan is to audit 50 BAs—all in security.


Could your organization be selected for an audit? The answer is obviously yes. So how do you prepare? We recommend that your organization conduct a document review and organize all your HIPAA privacy, security, and breach notification policies, procedures, plans and evidence of due diligence in one place for easy access to provide to OCR. Remember that OCR only provides a two-week notice. If your organizations documentation is not organized, two weeks may not be enough time to get ready for the audit. Start with HIPAA-HITECH (Health Information Technology for Economic and Clinical Health [Act]) Security and then Breach and Privacy. Your organization should conduct and document periodic risk analysis and assessments (e.g., every year) and when there are organizational, technical, physical, administrative, and/or regulation changes. It is also important for your organization to have and show documented proof of a comprehensive workforce training program for HIPAA-HITECH rules. We have learned from our implementation and audit practices that the following items represent strong evidence of due diligence:

  • HIPAA Privacy, Security, and Breach policies, procedures and related documents, updated to the Omnibus Rule additions and changes; reviewed yearly; updated as necessary.
  • Breach Plan, including annual table top audits.
  • Training Plan, including evidence of training and training curriculum.
  • Communications Plan, with meeting agendas and minutes.
  • Disaster Recovery Plan, including annual table top audits.
  • Audit and Monitoring Plan, reviewed annually.
  • Governance documentation, with meeting agendas and minutes.
  • Annual internal proactive and reactive HIPAA audits and documentation.
  • Annual Security Risk Analysis/Assessment, and documentation


It is important to keep in mind that the knowledge OCR gained during their Phase 1 audits will keep them focused on what they will review during Phase 2 audits. So your organization should be prepared accordingly. Consider conducting mock audits both internally and via an outsourced third-party organization that has the expertise to help you prepare. And, if your organization is an eligible hospital, professional (physician), or critical access hospital in regards to the meaningful use (MU) rule, there are requirements for information security assessments, reviews, and updates for each stage. So from a HIPAA-HITECH Security standpoint, conducting information security risk assessments and organizing your evidence documentation will serve to prepare your organization for the potential of two audits, one by OCR and one by CMS (Centers for Medicare and Medicaid Services) for MU. And remember that OCR and CMS auditors will not accept a simple answer to meeting standards and implementation specifications for the HIPAA-HITECH rules. They will request documented evidence of proof, as has been discussed.

About the Authors

Gerry Blass is the President & CEO of ComplyAssistant. Gerry has over 35 years of experience in healthcare IT and compliance. Gerry provides IT and compliance consulting services and software (also called ComplyAssistant) that automates the management and documentation of healthcare compliance activities. To learn more visit

Susan A Miller, JD has 40 years of professional leadership experience spanning college teaching, biochemistry research and law. Since 2002, Susan has provided independent consulting and legal services to numerous healthcare entities including NIST and HHS. She has co-authored two OCR audit protocol prep-books, HIPAA Security Audit Prep Book, and HIPAA Breach & Privacy Audit Prep Book. You may reach her at Blass and Miller are co-founders of HIPAA 411, a linked-in group.

REFERENCE 1. Sanches L. OCR Audits of HIPAA Privacy, Security, and Breach Notification, phase 2. [Presentation]. U.S. Department of Health & Human Services Office for Civil Rights. HCCA Compliance Institute. March 31, 2014. Accessed July 10, 2014.

 Download the JHIM PDF version of this article

Breaches, Business Associates, Compliance, Health Information Exchange, Healthcare Compliance, HIPAA-HITECH, Information Security Risk Analysis, Information Security Risk Management, Meaningful Use, Workforce risk