New HIPAA Audits May Prove Burdensome, Attorneys Say

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

March 25 — The long-awaited next round of HIPAA audits has started, and providers may face a host of compliance and enforcement challenges, health-care attorneys told Bloomberg BNA.

For example, the Health and Human Services Office for Civil Rights said it may conduct additional compliance reviews if an audit uncovers “serious issues,” which could lead to civil monetary penalties, Daniel Gottlieb, an attorney with McDermott Will & Emery in Chicago, told Bloomberg BNA March 23.

Gottlieb said it's unclear how the OCR will define what constitutes a “serious issue,” and that uncertainty will be a burden to providers.

Certain policies that haven't been updated recently could become the grounds for additional compliance reviews outside the audit process, depending on the OCR's definition of a serious issue, Gottlieb said.

OCR Director Jocelyn Samuels announced the start of the phase two audits at a March 21 conference.

(Click on image to enlarge.)

Preparing for a HIPAA audit

The compliance audits are intended to determine if health-care organizations and their contractors are complying with the Health Insurance Portability and Accountability Act's Privacy, Security and Breach Notification rules.

While the first round of audits focused solely on covered entities, phase two will address covered entities and business associates.

The audits are being conducted by FCi Federal, a government services provider in Ashburn, Va., that was awarded the contract in October 2015 .

Gottlieb said some covered entities, such as small physician practices, might have some HIPAA compliance issues involving their comprehensive risk assessments, which can be very data intensive and complicated for organizations with limited resources.

However, Gottlieb said he expected larger covered entities and business associates would be up-to-speed on HIPAA compliance.

“Organizations that prioritize HIPAA compliance should do pretty well, but no one is perfect,” Gottlieb said.

Data security is an ongoing process, Gottlieb said, and organizations should continuously make changes to their policies to meet a changing threat environment, including hacking attempts and patient data shared via social media channels.

Justified Enforcement

The next round of audits has been characterized by the OCR as a compliance improvement exercise, but covered entities and business associates may be in store for more enforcement actions as the OCR uncovers serious issues, Eric Fader, an attorney with Day Pitney LLP in New York, told Bloomberg BNA March 24.

“At this point, the OCR could be excused for calling almost any HIPAA violation a serious issue,” Fader said.

HIPAA has been around a long time and the OCR has provided plenty of warnings over the last few years, Fader said.

James Bowers, an attorney with Day Pitney in Hartford, Conn., said the OCR is likely to ramp up HIPAA enforcement after the criticism it received from the HHS Office of Inspector General in a September 2015 report .

The OIG said in the report that the OCR wasn't investigating enough small data breaches or keeping track of all health-care organizations it finds in violation of federal privacy laws.

“OCR's knuckles were rapped pretty hard, so going forward there's going to be a no-nonsense enforcement policy,” Bowers told Bloomberg BNA March 24.

Bowers said he expected to see steeper fines and more corrective action plans.

Audit Priority Items

Gottlieb said the OCR's phase one audits, which were conducted in 2011 and 2012, identified several areas of concerns regarding HIPAA compliance, and he said the upcoming phase two audits are likely to focus on them.

For example, a significant portion of audit subjects from phase one hadn't performed a comprehensive security risk assessment, Gottlieb said.

“Organizations should review their risk assessments and see if they comply with the HIPAA Security rule as well as OCR guidance,” Gottlieb said.

Gottlieb said he expected the second round of audits will also focus on the HIPAA Security rule's provisions concerning the secure disposal of electronic devices and encryption of data in transit and at rest.

“A lot of recent OCR enforcement has focused on stolen unencrypted laptops,” Gottlieb said.

The OCR reached two multimillion-dollar settlements in March with providers over stolen unencrypted laptops .

Audit Preparation

In preparation for a potential HIPAA audit, organizations should identify and gather all of their documentation related to the OCR's phase one-identified priority areas and should ensure their security policies are reasonable and updated, Gottlieb said.

Kevin Page, an attorney with Waller Lansden Dortch & Davis, LLP in Nashville, told Bloomberg BNA March 23 that covered entities should maintain a list of all their business associates as well as have written HIPAA compliance policies and procedures in place.

Page said the audits will likely look to see if organizations have conducted a comprehensive, enterprisewide security risk analysis and if they've implemented a risk management plan based on the results of the analysis.

“I suspect we'll be seeing more audits, and what they learn from these current audits will inform future audits,” Page said.

Page said it would be smart for business associates to be make sure they're up to speed on the HIPAA Privacy and Security rules, as this will be the first time they're having to open their books to the OCR and demonstrate compliance.

Day Pitney's Bowers said business associates are increasingly holding large amounts of patient data either in electronic health records or in cloud storage.

“These vendors have to make certain the data is secured six ways to Sunday,” Bowers said.

Little Cause for Alarm

While the upcoming phase two audits may be inconvenient for organizations as they gather their HIPAA policies and procedures, there's little cause for alarm, Colin Zick, an attorney with Foley Hoag LLP in Boston, told Bloomberg BNA March 24.

Zick said the audits are trying to encourage good compliance and aren't designed to be punitive.

“If you haven't pulled the HIPAA compliance binder off the shelf in a while, this would be a good time to start,” Zick said.

When it comes to HIPAA compliance, no one's perfect and breaches will happen, Zick said.

Organizations with strong underlying HIPAA compliance policies and procedures are less likely to face enforcement action if compliance problems are found, Zick said.

Zick also said covered entities are likely to fare better in HIPAA audits than business associates, which are organizations that contract with health-care organizations.

“There's such a variety of business associates, it's a much greater challenge for them to stay in compliance,” Zick said.

Looking to the future, a big question is what the next phase of audits will look like, Zick said.

“Will they decide not to do any more because the results show everyone's OK with compliance, or will they will ratchet up enforcement?” Zick said.

Planning Ahead

Zick said that before any potential HIPAA audit, covered entities and business associates should:

  • locate all HIPAA compliance policies and procedures, and find out when they were last updated;
  • review all risk assessments;
  • update any policies as necessary; and
  • schedule training.

    Zick also said organizations need to cooperate completely with an audit request.

    Reece Hirsch, an attorney with Morgan, Lewis & Bockius LLP in San Francisco, echoed Zick's comments and said it's crucial for audit subjects to respond within the mandated 10-day period.

    “Make sure the audit-related address verification letter doesn't end up in your spam folder,” Hirsch told Bloomberg BNA March 24.

    Organizations should create audit response teams to ensure they meet the response deadline, and should perform document-gathering dry runs to determine how fast the process is, Hirsch said.

    Hirsch said it's important that an organization's HIPAA compliance policies and procedures are updated.

    “If you've done your updating prior to the audit start, you're OK, but if you do your updating after you receive an audit request, that's a different story,” Hirsch said.

    To contact the reporter on this story: James Swann in Washington at

    To contact the editor responsible for this story: Kendra Casey Plank at

    Request Health Care on Bloomberg Law