Rivas Goldstein, LLP

Call Our Austin Office: 800-761-5190

Celebrating Our 20th Year Representing the Interests of Health Care Professionals and Entities

An Austin Firm Dedicated to
Health Care Law

Attorneys Image
  1. Home
  2.  → 
  3. Health & Health Care Law
  4.  → Anatomy of an HHS audit

Anatomy of an HHS audit

The United States Department of Health and Human Services (HHS) recently announced updates to its Phase 2 Health Insurance Portability and Accountability Act (HIPAA) Audit Program. These audits aim to check for an entity’s compliance with certain requirements. The exact focus of the audit can vary depending on the type of entity or business under review. These audits are generally checking for the facility’s ability to meet privacy, security, and breach notification requirements.

Health care providers, health plans or healthcare clearing houses that create, maintain, or transmit personal health information are subject to these requirements. These covered entities must implement technical, physical, and administrative safeguards to make sure all personal health information is secure. Examples include:

  • Technical. Safeguards include a way to control access, such as a username or PIN code, and activity logs.  
  • Physical. Use of policies to control use of workstations and control of this information on mobile devices.
  • Administrative. The group should have a risk management policy and conduct risk assessments. This should include clear sanctions for those who do not comply with HIPAA policies.

In the event of an HHS HIPAA audit, investigators will likely request the covered entity provide specific documents. The agency notes that it will not review a mass of documents to find the specific request. Instead, it is best for the entity to provide what is requested.

How can I better ensure my organization passes an HHS HIPAA audit?

You can better ensure your organization survives these audits by proactively reviewing your HIPAA compliance. The first step generally involves knowing which assessments apply to your organization. At that time, you should conduct internal audits to make sure your organization follows these requirements. It is often wise to have a HIPAA compliance officer on staff and regular training to help better ensure compliance is not an issue.

Why should my organization take the time to review for compliance?

Because a failure to comply can come with steep penalties. Simply not complying leads to fines. You could also face additional civil penalties and even criminal charges if a failure to comply also results in a breach.