Healthcare News & Insights

HIPAA audits delayed — but this compliance risk for hospitals is still lurking

There’s good and bad news for providers who were stressed about the upcoming HIPAA audits. The good news: There’s more time to ensure compliance. The bad news: You might still be at risk through an outside factor. 

78468160A large number of big-ticket protected health information (PHI) breaches this year has given the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) many chances to send a chilling message to other providers. That message: Be in compliance, or be prepared to pay big penalties for violations.

The OCR is planning on coming down even harder on facilities that haven’t put in preventive security measures. It’s no wonder then that many hospital leaders have been breaking out in a cold sweat about the next phase of audits, which were set to begin this fall.

Holding off on audits

But now it looks like facilities will have some extra time to get their facilities in order, according to HealthITSecurity.

Linda Sanches, the OCR’s information and privacy security senior advisor, recently announced at a privacy and security forum in Boston that the audits would be delayed. The OCR is using the time to implement a new web portal that would reduce the administrative burden on audited providers, and facilitate submitting requested documents.

So far, Sanches has only told providers to “stay tuned” about when the audits will officially begin. But as a result of the delay, the OCR will be conducting fewer automated desk audits and more comprehensive on-site audits than originally planned.

However, Sanches noted that the OCR would still be choosing a diverse mix of providers to audit, and offered some advise on how facilities can get ready.

The OCR will be looking for periodic risk analyses that evaluate  potential vulnerabilities from administrative, technological and human errors. It also will be looking for meticulous documentation about potential risks, preventive measures and other policies and procedures related to PHI security.

Focus on business associates

Sanches also advises facilities to create comprehensive lists of business associates (BAs) and their roles in the organization.


Because this is the first year the OCR will also be auditing facilities’ business associates for compliance. Unfortunately, many BAs aren’t familiar with HIPAA security rules or how to show compliance, as Fierce HealthIT reports. That means your BAs could be your hospital’s biggest security risk.

This is especially concerning because if BAs aren’t HIPAA compliant, providers could still be the ones hit with financial penalties.

Some ways to ensure your BAs are staying compliant with HIPAA:

  • document the security programs they have in place
  • insist on annual attestation from BAs that they’re taking steps to protect PHI, and
  • ensure that BA contracts include provisions about HIPAA’s BA regulations.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind