Is Your Practice Prepared for a HIPAA Audit?

Approximately 20 years ago, the United States Department of Health & Human Services (HHS) published in response to the Health Insurance Portability and Accountability Act (HIPAA) mandate a final regulation in the form of the Privacy Rule. Under HIPAA, covered entities, including healthcare providers, payers and clearinghouses that create, receive or transmit protected health information (PHI), have to ensure they’re compliant with the Security Rule of HIPAA and its administrative, physical and technical safeguards.

In 2020, a total of 26,530 complaints were filed with the Office for Civil Rights (OCR) due to a HIPAA-covered entity or its business associate allegedly violating someone’s health information privacy rights or committed another violation of the Privacy, Security or Breach Notification Rules. Although every covered entity and business associate is eligible for an audit, most small physician practices aren’t prepared for one.

Most HIPAA audits occur as a result of one of three common ways:

  • A random selection for an audit by the OCR
  • A complaint is filed to the OCR by an individual against your organization
  • As a result of a breach occurring and then being self-reported to the OCR

Compliance Challenges

For many small physician practices, achieving HIPAA compliance can be challenging because of a lack of skilled personnel, resources and budget. Therefore, they encounter common HIPAA violations such as lack of encryption, getting hacked or phished, unauthorized access, loss or theft of devices, sharing information, disposal of PHI and accessing PHI from an unsecured location.

There are other reasons small practices have difficulty making sure their systems are HIPAA-compliant. One is being offered supposedly accurate information by companies offering IT and technology solutions. Some practice managers assume that a vendor promoting HIPAA compliance is telling the truth – without asking for actual proof in the form of a proper business associate agreement (BAA) or a second opinion. It’s a common mistake for owners of small practices to believe vendors are taking care of HIPAA security issues, even when this isn’t the case.

Examples of Non-compliance

Even though a HIPAA audit can result in fines and penalties for physician practices, many still don’t have the correct policies and procedures in place to avoid one. According to 2021 HIPAA survey data from SecurityMetrics:

  • Almost 30 percent of respondents don’t have a formal risk management plan.
  • Roughly 35 percent never review their data prevention tool logs.
  • Only 43 percent of respondents conduct internal audits at least annually.
  • Nearly 20 percent of respondents don’t have any incidence response plan policies in place.

The HHS HIPAA Audits Industry Report, which was released in December 2020, included data on 166 covered entities and 41 business associates that were audited in 2016 and 2017 with regard to HIPAA compliance and selected provisions. Although covered entities demonstrated compliance in two of the seven areas audited, 89 percent failed to meet the requirements for other selected provisions in the audit, such as adequately safeguarding PHI, ensuring the individual right of access and providing appropriate content in their Notice of Privacy Practices (NPP).

The Advantages of a HIPAA-first Attitude

Small physician practices don’t have to spend thousands of dollars to be ready in the case of a HIPAA audit by OCR. However, they should conduct a risk analysis incorporating the following elements as recommended by HHS:

  1. Scope of the analysis
  2. Data collection
  3. Identify and Document Potential Threats and Vulnerabilities
  4. Assess Current Security Measures
  5. Determine the Likelihood of Threat Occurrence
  6. Determine the Potential Impact of Threat Occurrence
  7. Determine the Level of Risk
  8. Finalize Documentation
  9. Periodic Review and Updates to the Risk Assessment

The Healthcare Information and Management Systems Society (HIMSS) notes that risk must be gauged based upon factors such as probability of occurrence, impact on the organization and as the prioritization of the risk and should be conducted or reviewed regularly and at least once per year. Physician practices of all sizes also should develop an incident response plan, and test it regularly.

At RingRx, we urge you to take the reins on HIPAA compliance. Work only with vendors who have a “HIPAA first” attitude and build systems specifically with compliance in mind. Our phone system was built exclusively for healthcare practices and guarantees compliance. We offer a signed BAA upon starting your service, meaning you don’t have to worry about security when it comes to communicating with your patients. Our goal is to help you update legacy phone systems and modernize your practice, all while staying 100 percent HIPAA-compliant.


Start your free 30-day trial of RingRx today!