Warning: HIPAA Audits Set to Increase in 2017

We all have compounding daily, weekly and monthly tasks that get pushed back due to the fires you have to put out right now. But, eventually those seemingly insignificant tasks have to be addressed.

This is a guest post written by Chad Kissinger, Founder of OnRamp.

For many in healthcare and healthcare technology, preparing for phase II of the HIPAA Audit Program is one of those tasks that gets pushed off until it’s too late. Any business that operates within the lawful confines of HIPAA, should already have matters well in order, but it’s a complex process that requires vigilance and constant attention to stay up-to-date with regulation.

The Department of Health and Human Services (HHS) started sending out notifications to Covered Entities (CEs) and their Business Associates (BAs) via email in April of 2016.

The Compliance Enforcement Index reported:

“The Office for Civil Rights (OCR) has begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pool […] If a covered entity or business associate fails to respond to information requests, OCR will use publicly available information about the entity to create its audit pool. An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.”

The OCR notes that it’s your organization’s responsibility to respond to their email within the given time limit. The only covered entities and business associates exempt from this round of auditing are “entities with an open complaint investigation or that are currently undergoing a compliance review organizations exempt.”

Don’t Panic. Be Sure You’re Prepared

We shared a few things that would help you prepare for this phase of audits—and the simplest and most critical action to take now is to ensure that you have whitelisted OSOCRAudit@hhs.gov. The last thing you want is to have notices go to your spam folder!

The OCR clearly stated that they expect you to be aware of their first round of notices, as well as any subsequent emails. And because you only have 14 days from initial contact to verify information and ten days from any contact to address audits, time is of the essence. Once you check to make sure that you’ve whitelisted their email domain, we recommend double checking your spam filters. Then, make sure the contact information you provided the OCR is still valid.

According to the sample letter posted on the HHS site, “If we [OCR] do not receive a response from you, we will use this email address for future communications with this entity. Failure to respond will not shield your organization from selection.” The OCR’s email notifications include a deadline for responding to their request for verification of your contact information. The deadlines for response may have already passed, so if you have not responded to the OCR’s first notification, the default is that they will send future notices to this email address.

The first round of desk audits will start with Covered Entities, followed by Business Associates. Those audits started in 2016 will likely continue into next year; some organizations must endure detailed reviews and are subject to onsite reviews.

An Increase in Federal Budget for the OCR Means More Resources… and More Audits

President Obama’s proposed budget for the fiscal year 2017, includes $1.15 trillion for HHS, an increase of 3% from 2016’s fiscal budget. The OCR is set to receive $43 million, versus $39 million from 2016 and 2015. The purpose of the funding is to aggressively pursue auditing to ensure that both Covered Entities and Business Associates are take HIPAA compliance seriously. (Because Congress approves these budget allocations, this strategy shows their priority for funding.)

Alongside the email notifications that began in April of 2016, the OCR published an audit protocol to help organizations prepare for the audits, regardless of how the audits were triggered. Some were part of phase 2 of the HIPAA Audit Program while others were part of a consumer complaint or breach report. There are 180 areas of scrutiny in the protocol. Be warned: You will need to have your documentation and requested materials organized and ready should you be selected for an audit.

The Right Partnerships Are Critical

The key takeaway from the HIPAA Omnibus Rule is that BAs and their subcontractors are directly liable for HIPAA compliance, including security breaches. If you outsource your cloud storage or use a managed service provider to create, transfer, or store your HIPAA-regulated data, you’ll want to take note. Your provider must be able to prove compliance, and if they are not able to demonstrate this to you, please change providers immediately.

As mentioned, there are approximately 180 different areas that may be addressed in an audit. The OCR’s audit protocol specifically notes: “Entities must provide only the specified documents, not compendiums of all entity policies of procedures. The auditor will not search for relevant documentation that may be contained within such compilations.” This means that a high-level overview or similar documents are not acceptable.

Organization is Key

If you haven’t already, it’s important that you organize all relevant audit documentation and develop training programs for employees, contractors, and partners to ascertain that they’re aware of their role in your organization’s compliance. Don’t forget to see how your partners and providers will prove they’re compliant, too. These are just a few ways to prepare for a compliance audit. Depending on the size and nature of your organization, you may be held to additional requirements.

Non-compliance can result in fines, required remediation, legal costs, loss of reputation, and may even cause your business to permanently close. Even if you’ve made it to this point without an audit, it’s only a matter of time before it’s your turn. Keep your documentation and processes up to date and continue to improve upon your compliance.

Feel free to visit the HHS Compliance website for more information.

Source: This article was originally published on the OnRamp blog.


Since founding OnRamp in 1994, Chad Kissinger has driven the growth and evolution of the company from a start-up ISP to an established provider of data center services, with a focus on HIPAA compliance and high security. A founding member, Former President and Legislative Chair of the Texas Internet Service Provider Association and leader in the development of OnRamp’s HIPAA Compliant Hosting solutions, Kissinger is an expert in data center technology, data privacy and security issues.

Chad Kissinger OnRamp