What Happens During a HIPAA Audit?
All those who work in and around HIPAA know that they are taught to fear a HIPAA audit (AKA an OCR audit) and avoid it at all costs. But you may not know why that is something that people are so adamant to prevent from happening to them. Common questions that we hear are “What happens during a HIPAA audit?” and “Why is that something I should be afraid of?” We want to answer both of these questions and even more that may help you to have an understanding of what this process looks like in case you are ever required to undergo an audit.
What is an OCR Audit?
A HIPAA audit is a protocol that the OCR follows which assesses the policies, controls, and processes that covered entities or business associates are utilizing in order to comply with HIPAA and protect PHI and ePHI. Each audit follows consistent steps which goes through separate modules for each rule of HIPAA to evaluate that organization’s compliance with the standards of that piece.
If an organization is selected for OCR audit, they will be notified of this and then asked to provide various documents and data that will specifically be requested in this notification. At this point, the organization will submit all the requested information to the OCR Auditor via a secure portal. This OCR audit portal allows the OCR to begin to investigate all of this data. Once the OCR reviews each document, they will then produce a final OCR audit report which includes the organization’s comments back to this resolution.
How to Prepare for an OCR Audit
The best thing to do to prepare for an OCR audit is to take the time and steps towards HIPAA compliance far before there is any risk or notification of an audit. HIPAA compliance is something that all companies that work with PHI should be proactive about since regardless of an audit, they hold the responsibility to keep this information secure. However, aside from the need to be compliant, there are a few specific steps that will assist the company and prevent an OCR audit from being as daunting. Here are a few:
- Perform regular and comprehensive risk analyses
- Keep a clear inventory of all business associate agreements, contracts, and HIPAA-related policies and procedures
- Document all locations where PHI or ePHI are stored include file cabinets, internal databases, laptops, paper files, and more.
- Train all employees that have access to PHI on HIPAA each year, and maintain records of these training certificates
Questions That you will be Asked
The specific details of the audit and the questions that you will be asked will vary depending on what type of audit you are receiving. There are hundreds of variations of HIPAA/OCR audits that the HHS and OCR will conduct based upon what specific issue or violation has been detected within that specific organization. Each of these specialized audit types comes with its own established performance criteria that will be analyzed and inquiries that will be given to the company based on the key activity that was deemed in violation of HIPAA.
Beyond these very particular audit types, the HHS does offer us eight general instructions for undergoing a HIPAA audit. These were found in an audit protocol resource from the HHS which can be read in entirety here.
- Where the document says "entity," it means both covered entities and business associates unless identified as one or the other;
- Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards;
- Entities must provide only the specified documents, not compendiums of all entity policies of procedures. The auditor will not search for relevant documentation that may be contained within such compilations;
- Unless otherwise specified, all document requests are for versions in use as of the date of the audit notification and document request;
- Unless otherwise specified, selected entities should submit documents via OCR's secure online web portal in PDF, MS Word or MS Excel formats;
- If the requested number of documentations of implementation is not available, the entity must provide instances from equivalent previous time periods to complete the sample. If no documentation is available, the entity must provide a statement to that effect.
- Workforce members include entity employees, on-site contractors, students, and volunteers; and,
- Information systems include hardware, software, information, data, applications, communications, and people.
Potential Outcomes of the Audit
If your company is audited by the HHS, either randomly or via a patient complaint, then you will be required to follow any steps and procedures requested by the OCR at their time of investigation. You should continue to be in communication with them and quickly supply them with any information, data records, policies, procedures, training records, or other details that they may request.
Once the OCR has received all of the information that they need from you, they will internally process and examine all of that data before reaching a conclusion. It is very possible that this audit could be quickly resolved if you are able to provide all the requested information that will answer their questions, and show them that you are not in noncompliance with HIPAA. Obviously that is the best case scenario for a HIPAA audit, and is exactly what Accountable is working to ensure occurs in the event that any of our customers are audited.
Cost of NonCompliance
However, this can not always be the way that a HIPAA audit ends or else we would not report monthly on the costly settlements that the OCR reaches with organizations found in violation. As we all know, HIPAA has an extremely high cost for noncompliance. The cost of noncompliance to HIPAA can be crippling to an organization. The penalties for HIPAA noncompliance are based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a max penalty of $1.5 million per calendar year for violations. Additionally, violations can also result in jail time for the individuals responsible.
HIPAA breaks the penalties for noncompliance into four tiers:
- First Tier: The covered entity did not know and could not reasonably known of the breach. Generally, these range to $100 to $50,000 per incident up to $1.5 million in penalties.
- Second Tier: The covered entity knew or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect. Fines for the second tier can range up to $1,000 to $50,000 per incident up to $1.5 million.
- Third Tier: The covered entity “Acted with willful neglect” and corrected the problems with a 30 day period of the breach. Penalties for the third tier can range from $10,00 - $50,000 per incident up to $1.5 million.
- Fourth Tier: The covered entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident up to $1.5 Million.
What are Audits like for Accountable Customers?
After seeing this steep cost of being found in violation with HIPAA, you must remember that although it is easy to violate HIPAA, it is even easier to implement a HIPAA compliance platform that will train your employees and provide policies to safeguard all PHI that you handle. Luckily, if you are a customer of Accountable’s, you can rely on the fact that if you have completed each step of our HIPAA checklist within the platform, then you have completed the steps it takes to be HIPAA compliant. Plus, we even offer to cover up to $100K of all HIPAA related costs that stem from a HIPAA audit or OCR fine. With a $100,000 HIPAA Breach and Audit Guarantee, you can have the confidence in Accountable’s product and support to assist you in reaching full compliance.
If you’re not a customer of Accountable’s yet, today is a good day to get started and take away the stress of a potential HIPAA audit in the future. Without giving over any credit card information, you can try our platform out for free today!