How to Prepare for HIPAA Audits with Written Policies

The Office for Civil Rights still conducting audits

If you are a health care provider, you’re undoubtedly familiar with the Health Insurance Portability and Accountability Act (“HIPAA”).  But what you may not know is that the federal agency responsible for ensuring HIPAA compliance announced a second wave of compliance audits earlier this year. 

Providers facing audits were notified in July.

So, does that mean that if you haven’t received an audit letter, you’re in the clear?  Not so fast.  If you have relationships with vendors who handle protected health information (“PHI”) on your behalf (in HIPAA-speak, such vendors are called “business associates”), you may still be subject to federal scrutiny. 

That’s because the Office for Civil Rights – the arm of the Department of Health and Human Services that investigates HIPAA violations –announced that it’s still in the process of identifying business associates for audit.  Plus, audit or not, it’s best practice to protect your patients’ PHI.

This round of audits will focus on the adequacy of written policies and procedures.  In plain English:  Ensure that you have updated written policies and procedures and that you adhere to them.

Severe Penalties for Violations

Anyone who creates, receives, maintains, or transmits PHI on behalf of another is potentially subject to HIPAA.  This includes patient safety outpatient clinics, physical therapists, physicians, dentists, chiropractors, and hospitals, to name a few.  Providers that are subject to HIPAA are called “covered entities.”

In short, if you work with PHI, you’re most likely subject to HIPAA.  And violations for HIPAA noncompliance can be steep, including criminal penalties and civil penalties up to $50,000 per violation.

The most common violations are: inadequate or non-existent written policies and procedures; unencrypted or stolen USB computer drives, laptops, and email that contain PHI; and inadequate security awareness and training for your staff and providers.

One sobering example:  The Office for Civil Rights slammed a covered entity for nearly $2 million in penalties when an unencrypted laptop containing PHI went missing – in large part, because investigators concluded that the covered entity used insufficient encryption throughout the entire company.

The Office for Civil Rights cautioned that these “major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.” 

Preparation is Key

It’s imperative that you implement HIPAA-compliant practices.  The first step is to conduct a rigorous self-assessment, focusing on your privacy and security strengths and weaknesses.  The assessment should consider at least three components: the technical security of the PHI; the administrative policies relating to authorized access to PHI, and physical barriers to unauthorized access to PHI.

Self-assessments are required by HIPAA, but they also are crucial to maintaining patient confidences and your business reputation – losing PHI is bad for business.

Other things to consider:

  • Think and talk with your employees about compliance from the standpoint of an auditor.  The auditor will conduct a “compliance review of the policies, procedures, or practices” of the HIPAA provider or business associate.  In other words, you should ensure that you maintain and implement policies, procedures, and practices, consistent with HIPAA.
  • Familiarize yourself with the underlying HIPAA federal regulations relating to policies, procedure, and documentation requirements.
  • Train all personnel on HIPPA requirements.
  • Know where your PHI is stored.  Electronic mobile devices can be especially vulnerable to breaches.  “Covered entities and business associates must understand that mobile device security is their obligation,” warns Susan McAndrew, deputy director of health information privacy for the Office for Civil Rights. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
  • Ensure that all personnel use strong passwords (8 or more characters, upper and lower case, etc., etc.), unique computer logins for each employee, encrypt everything, utilize antivirus software, and lock file cabinets and doors.
  • Retain detailed documentation relating to any HIPAA require documentation, PHI authorizations, patient complaints, personnel trainings, and any security breach.
  • Finally, HIPAA requires ongoing compliance, so self-assessments (see above) should be conducted at least annually, or in circumstances of a breach PHI, or changes in the law.

Still not convinced that HIPAA compliance is serious business?  Here is the HIPAA Wall of Shame, a public list of HIPAA breaches.  Showing up on there can’t be good for business.

So, get started on those self-assessments and written policies and procedures.

This blog is not a substitute for personalized legal advice.  Questions? Need help? Email me at