HIPAA Audits: The Importance of Preparing and the Significance of Compliance

Posted by Ken Reiher


Due to increased risks, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act were designed and implemented as national standards for the privacy of protected health information, the security of electronic protected health information, and breach notification to consumers. The  HITECH Act requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The HHS Office for Civil Rights (OCR) enforces these rules.

Read more: HIPAA Audit Services for Covered Entities


In 2011, OCR established a pilot audit program to assess the controls and processes implemented by covered entities to comply with the HIPAA rules. The pilot audit program was a three-step process. The first step involved developing the audit protocols. Next, a limited number of audits were conducted as an initial test of these protocols. The results of the initial audits informed how the rest of the audits were conducted. The last step included conducting the remaining test audits using the revised protocol materials. All audits in this pilot were completed by the end of December 2012, and the resulting changes were enacted in March 2013.

Where Things Stand Today

Through this pilot program, OCR developed a final protocol used to measure the efforts of covered entities. Major components to note include the following:

  • All covered entities and their business associates/employees are eligible for an audit.
  • Those selected for an audit will receive an email notification of their selection. They will be asked to provide documents and other data via an OCR document-request letter. The notification letter will introduce the audit team, explain the audit process, and present OCR’s expectations in more detail.
  • Covered entities being audited will submit documents online via a secure audit portal on the OCR website. Auditors will review the submitted documentation, then develop and share draft findings with the entity. Auditees will have the opportunity to respond to draft findings, and their written responses will be included in the final audit report.
  • The audit requirements will vary according to the nature of an individual´s or organization´s business.

The consequences of failure to comply with HIPAA can be significant. Individuals and organizations that fail the HIPAA audit are usually given time to correct their failings, unless it is found they have “willfully neglected” to comply with the act. In cases of willful negligence, a substantial financial penalty can be levied. Ignorance of HIPAA and/or its requirements is not accepted as a justified reason for failure to comply.

How can ComplyAssistant help with your HIPAA audit preparedness?

  • Our HIPAA compliance consultants provide a risk assessment of all the regulatory standards and implementation specifications, identifying any weaknesses in your current procedures and security strategies that could result in the unauthorized disclosure of PHI.
  • We also offer HIPAA compliance software, which enables you to manage HIPAA policies, procedures, and evidence of operational compliance for your organization.

To learn more, contact us for a complimentary evaluation. You can reach us at 800.609.3414, via email at info@complyassistant.com, or by filling out the form on our contact page.