Would your practice survive an audit?

HIPAA Audits

There are many different types of “audits”, so when we refer to audits, we are referring to a “HIPAA audit”. When anyone mentions HIPAA audit, most practices think it won’t happen to them. I hear so often; I have never seen the “HIPAA Police” come around and do an audit. Well, they don’t just walk in off the street, but it only takes one patient complaint, a disgruntled employee, or a data breach to trigger an investigation. I have said this MANY times… and I feel the need to repeat it one more time! HIPAA has changed a few times over the years, one thing that has not changed since 1996 – HIPAA compliance is here to stay, and it is not optional.

When an investigation is opened, depending on the documentation you provide will determine whether a desk audit is conducted. For example, many OCR (Office for Civil Rights) investigations find systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures. With the “recognized security practices”, the OCR may review a minimum of 12 months of your documentation. The good news is, if you have documented your compliance efforts, you may not be fined or penalized! The OCR is trying to incentivize practices to step up their data security practices. Keep in mind, this must be documented. Just another reason why our clients are moving to our online compliance platform!

Employee mistakes are the typical cause of a security incident or data breach. Someone clicks on a link, opens an infected website, or falls for a phishing scam. This is a HUGE problem; all you have to do is go to the OCR breach portal and you can see for yourself the number of breaches reported for hacking. Educating your staff is #1, along with good data security practices that are documented.

Lost or stolen devices are also a problem unless they are encrypted. Security incidents must be reviewed, and the outcome documented. If a device is lost or stolen and it is encrypted (and documented as such) it is not a reportable breach!

Another area that the OCR reviews (depending on the complaint or violation) is employee training. HIPAA training requires periodic updates, and it is recommended that all staff including physicians attend annual HIPAA training. Again, this must be documented.

Background checks are so important and often overlooked. I can’t stress this enough… background checks are more than calling the “references” the candidate offers you. Of course, they will give glowing reviews! Insider threats are becoming more of a problem. People pose as a “great” employee, only to steal patient information, or some may just be curious and open patient records that they are not authorized to. Both situations can lead to data breaches or violations. Utilizing a professional company to conduct your background checks will provide you with the appropriate documentation.

Have you noticed something that all these areas have in common? DOCUMENTATION! If is not documented, it doesn’t exist in the eyes of the OCR.

Do you know why the OCR is coming down hard on the lack of data security? Because patient data is valuable, and hackers and scammers are trying to get to YOUR patient data. This is some of the most sought-after information because it contains everything needed to steal a person’s identity. It is easy to get a new credit card number, but you can’t get a new social security number. One more thing, some identity thefts lead to medical identity theft. This can be deadly if someone’s medical information is changed.

These are just friendly reminders to keep your practice safe and secure!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:


Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

Information Blocking Rule – Best practices to prepare now

January 15, 2022

What are common HIPAA violations and how to avoid them?

March 4, 2022
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC