What is your Risk of a HIPAA Audit?
The risks of HIPAA audits vary drastically from organization to organization depending on what types of PHI or ePHI you store, what other organizations you work with, and what steps you have taken to guard this information. The best way to determine your company’s specific level of risk of a HIPAA audit or breach is to conduct a full risk assessment. In addition to being a requirement of the law under the HHS, these assessments also help to pinpoint potential spots of concern within your organization and its management of PHI. In this blog, we’ll address some key processes or actions that you may be taking that open your organization up to a much higher level of risk of an audit.
What is a HIPAA audit?
In order to understand why you should put time and effort into mitigating the risks that you may be susceptible to, you should first consider what a HIPAA audit from the Office of Civil Rights (OCR) within Health and Human Services (HHS) consists of. Having a complete picture of an audit and its potential outcomes may help you to see why this is worth spending time and effort to avoid!
A HIPAA audit is a protocol that the OCR follows which assesses the policies, controls, and processes that covered entities or business associates are utilizing in order to comply with HIPAA and protect PHI and ePHI. Each audit follows consistent steps which go through separate modules for each rule of HIPAA to evaluate that organization’s compliance with the standards of that piece.
If an organization is selected by the OCR to participate in the audit program, then they will be notified of this and then asked to provide various documents and data that will specifically be requested in this notification. At this point, the organization will submit all the requested information to the OCR via the requested secure portal, which will allow the OCR to begin to investigate all of this data. Once the OCR reviews each document, they will then produce a final audit report which includes the organization’s comments back to this resolution.
When do they occur?
HIPAA audits typically occur as a result of a few different situations, here are three of those common ways:
- A random selection for an audit by the OCR
- A complaint is filed to the OCR by an individual against your organization
- As a result of a breach occurring and then being self-reported to the OCR
Why is it important?
HIPAA audits most commonly lead to weighty fines, complex corrective action plans, and lengthy investigations being conducted towards your organization. All of these things present challenges and hurdles that make it harder for your company to continue to do the daily tasks that are important to your patients or customers.
But beyond the fear of experiencing a significant time or financial cost, the fear of having a data breach or cybersecurity attack that compromises the PHI that you store should be reason enough to take the necessary steps to comply with HIPAA. The patient information that you store, process, create, or transmit is incredibly valuable to that individual but is also valuable on the dark web to those who have harmful intentions for it. That is why it is of utmost importance, even beyond the reason of an audit, for organizations under HIPAA to take all the precautions possible to keep PHI safe and secure.
What Actually is my Risk of Being Audited?
This is probably the question that you came here to have answered - what really is your risk of having the OCR audit your company? I wish that I could offer you a well-researched and objective percentile-chance of your ever being subjected to a HIPAA audit - but unfortunately, that’s not really the way that it works. As mentioned above, HIPAA audits can be initiated for a number of different reasons and purposes, each of which would come with its own set of odds of it occurring for you.
For example, a majority of the HIPAA settlements that have been reached in the past year have been under the Right of Access Initiative, and these almost exclusively originated from a specific patient’s complaint to the OCR over their request not being fulfilled. There is no real way to predict whether a patient of your practice or organization will be one that is quick to submit a ticket to the OCR or not. Before you take your odds on this, remember that the average cost of an OCR settlement in the past year sits right at $1.1 million.
If you prefer to take your chances at undergoing a full investigation that results in your company shelling out a million dollars, then that is the risk that you are accepting. But I would suspect that most companies would be very motivated to ensure that a fine like that is never levied against them.
How to be Ready for an Audit:
The best thing to do to prepare for an audit in the first place is to take the time and steps towards HIPAA compliance far before there is any risk or notification of an audit. HIPAA compliance is something that all companies that work with PHI should be proactive about since regardless of an audit, they hold the responsibility to keep this information secure. However, aside from the need to be compliant, there are a few specific steps that will assist the company and prevent an audit from being as daunting. Here are a few:
- Perform regular and comprehensive risk analyses
- Keep a clear inventory of all business associate agreements, contracts, and HIPAA-related policies and procedures
- Document all locations where PHI or ePHI are stored include file cabinets, internal databases, laptops, paper files, and more.
- Train all employees that have access to PHI on HIPAA each year, and maintain records of these training certificates
The list of HIPAA requirements and potential investigation points during an OCR audit may seem entirely overwhelming for one person to figure out how to comply with. Although every organization under HIPAA needs a privacy officer, that person does not have to create, update, maintain, or bear the responsibility of an audit should it come your way. Instead, Accountable has created a simple, step-by-step process within our platform that helps you achieve HIPAA compliance but also is a central location for all HIPAA information compliance (such as policies and procedures, not PHI) to be stored and held securely. This is a great asset so that in the event that you are subjected to an audit, you will be able to provide all of the information the OCR is requesting from you in a quick and stress-free manner. Our platform is simple and trusted by thousands of companies without having been through a single audit, try it out for free today!