Audit. That one word causes a lot of fear in people, even law-abiding taxpayers who follow the rules and regulations of the Internal Revenue Service (IRS) to a tee. 

The United States Department of Health & Human Services (HHS) conducts a different type of audit, although no less scary to healthcare organizations subject to it. We are, of course, talking about the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA). 

Under HIPAA, covered entities — including healthcare providers, payers and clearinghouses that create, receive or transmit protected health information (PHI) — must comply with HIPAA’s Security Rule and its administrative, physical and technical safeguards. If not, they are subject to both civil and criminal penalties. 

The cost of such penalties varies. The fee for criminal violations ranges from $50,000 to $250,000. Civil penalties start at $127 per violation and can rise to $1,919,173 when a violation is attributable to willful neglect and not corrected within 30 days. 

HIPAA Audit Commonalities 

Similar to other types of audits, those conducted by the HHS aren’t scheduled regularly. Most HIPAA audits occur as a result of one of three common ways:

  • A random selection for an audit by the OCR
  • A complaint is filed to the OCR by an individual against your organization
  • As a result of a breach occurring and then being self-reported to the OCR 

Although every covered entity and business associate is eligible for an audit, most small physician practices aren’t prepared for one. Achieving HIPAA compliance can be challenging due to lacking skilled personnel, resources and budget. 

The result? They encounter common HIPAA violations such as lack of encryption, getting hacked or phished, unauthorized access, loss or theft of devices, sharing information, disposal of PHI and accessing PHI from an unsecured location. Also, just because a vendor might promote HIPAA compliance, you don’t know for sure without asking for actual proof in the form of a proper business associate agreement (BAA) or a second opinion. 

Even though a HIPAA audit can result in fines and penalties for physician practices, many still don’t have the correct policies and procedures to avoid one. According to 2023 HIPAA survey data from SecurityMetrics:

  • Almost 35 percent of respondents don’t have a formal risk management plan
  • Roughly 35 percent never review their data prevention tool logs
  • Nearly 35 percent of respondents don’t have any incident response plan policies in place.
  • Only 40 percent of respondents encrypt patient data.
  • Fewer than half of respondents conduct employee HIPAA training annually 

The Importance of a HIPAA-First Attitude 

Healthcare practices don’t have to spend thousands of dollars to be ready in the case of a HIPAA audit by OCR. However, they should conduct a risk analysis incorporating the following elements as recommended by HHS:

  • Scope of the analysis
  • Data collection
  • Identify and document potential threats and vulnerabilities
  • Assess current security measures
  • Determine the likelihood of threat occurrence
  • Determine the potential impact of threat occurrence
  • Determine the level of risk
  • Finalize documentation
  • Periodic review and updates to the risk assessment 

The Healthcare Information and Management Systems Society (HIMSS) notes that risk must be gauged based on factors such as probability of occurrence, impact on the organization and prioritization of the risk and should be conducted or reviewed regularly and at least once per year. Physician practices of all sizes should also develop and test an incident response plan regularly. 

At RingRx, we urge you to take the reins on HIPAA compliance. Work only with vendors with a “HIPAA first” attitude and build systems specifically with compliance in mind. Our phone system was built exclusively for healthcare practices and guarantees compliance. Upon starting your service, we offer a signed BAA, meaning you don’t have to worry about security when communicating with your patients. Our goal is to help you update legacy phone systems and modernize your practice, all while staying 100 percent HIPAA-compliant. 

Start your free 14-day trial of RingRx today!