The HIPAA Audit: What to Know Before You Get the Notice

The Health Insurance Portability and Accountability Act (HIPAA) is a set of laws that govern the protection of sensitive patient health information. It was passed in 1996 and has expanded since then. HIPAA is a tremendous boon for consumers because it protects their personal health data — but for business, HIPAA compliance is a model of complexity and a trap for the unwary. Knowingly or unknowingly violating HIPAA can lead to hefty fines and even potential jail time, depending on the severity and frequency of the offense. Just one example: in 2020, Health Share of Oregon suffered a data breach when a laptop with the unencrypted protected health information of more than 650,000 members was stolen from a third-party vendor.

Do you handle PHI? If so, you’re bound by HIPAA.

Does your organization process, handle, manage or store protected health information (PHI)? Do your third parties? If so, maintaining HIPAA compliance — and knowing that your third parties are HIPAA compliant — is crucial for avoiding civil fines, criminal fines, jail time, and really bad publicity. Below is a brief overview of the HIPAA requirements, as well as some helpful tips on how to maintain HIPAA compliance in your organization — and work with third parties who take HIPAA compliance as seriously as you do.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted to mandate national standards for protecting patient health information from being disclosed without their knowledge or consent. The basic goal is to limit the use of PHI to those with a “need to know.” A second goal is to penalize those who don’t comply.
And you can’t sneak past HIPAA; organizations are frequently fined for violations. In one such instance, the University of Rochester Medical Center lost a flash drive and a laptop containing PHI that wasn’t encrypted. The end result was a $3 million settlement. In another, a health care provider agreed to a fine of $30,000 for disclosing patient information when it posted a response to the patient’s negative online review.
These are dwarfed by Anthem’s still-record $16 million payment following what was then the largest health data breach in history.

A Basic Question: What is Protected Health Information (PHI)?

PHI includes, but is not limited to, the following:

  • Diagnostic images
  • Medical records for adults and minors
  • Any indices of patients
  • Lab results
  • Medical bills
  • Surgical procedure registries
  • Prescription drug histories
  • Appointment dates and times

What Forms of Data Does HIPAA Protect?

  • Written, paper, spoken or electronic data
  • Transmission of data within and outside a healthcare facility
  • Data size does not matter

HIPAA Compliance Rules

The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. Other significant HIPAA rules are the Security Rule, the Breach Notification Rule, the Enforcement Rule, and a catchall category of other administrative simplification rules.

The Privacy Rule

The HIPAA Privacy Rule was enacted under HIPAA in 2000 as a way to establish regulations to meet HIPAA requirements. For example, the Privacy Rule governs how and when a patient’s health information can be used, disclosed and accessed both on and offline. The Privacy Rule also grants individual patients the ability to control how their private health information is used to a certain extent. The Privacy Rule refers to this information as PHI.

The Security Rule

The HIPAA Security Rule was enacted in 2003 and governs the protection of electronic health information (e-PHI). This rule requires organizations to have a system in place to maintain e-PHI securely at all times, including when one creates, receives, maintains or transmits e-PHI.
The Security Rule lays out three types of security safeguards — administrative, physical and technical — that a covered entity should implement.

  • Administrative Safeguards
    • Security Management Process. Identification and analysis of potential risks to e-PHI; implementation of security measures.
    • Security Personnel. Designating a security official to develop and implement security policies and procedures.
    • Information Access Management. Implementation of policies and procedures for authorizing role-based access to e-PHI.
    • Workforce Training and Management. Authorization and supervision of workforce members who work with e-PHI. Training for all workforce members regarding security policies and procedures. Sanctions against workforce members who violate policies and procedures.
    • Evaluation. A periodic assessment of how well security policies and procedures meet the requirements of the Security Rule.
  • Physical Safeguards
    • Facility Access and Control. Limiting physical access to facilities while ensuring that authorized access is allowed.
    • Workstation and Device Security. (1) Policies and procedures to specify proper access to workstations and electronic media and (2) policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media.
  • Technical Safeguards
    • Access Control. Technical policies and procedures must allow only authorized persons to access e-PHI.
    • Audit Controls. Hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that have e-PHI. This includes audit logs.
    • Integrity Controls. Policies and procedures that ensure that e-PHI is not improperly altered or destroyed, and electronic measures to confirm that e-PHI has not been improperly altered or destroyed.
    • Transmission Security. Technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic network.

The Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and their business associates to notify affected patients, HHS, and in some cases, the media, following a breach of unsecured PHI. Generally, a breach is an unpermitted use or disclosure that compromises the security or privacy of PHI.

The Enforcement Rule

The HIPAA Enforcement Rule covers procedures for investigations and hearings for HIPAA violations. The HHS Office for Civil Rights (OCR) enforces the Privacy, Security and Breach Notification Rules.

The Enforcement Rule imposes monetary penalties for violations of HIPAA. Civil penalties can apply at up to $63,973* per violation, depending on the level of culpability, with a cap of up to $1,919,173 per year. In addition, a person who knowingly violates the Privacy Rule may face criminal penalties and/or imprisonment.

Since enforcement began, through May 31, 2023, OCR has received over 331,100 HIPAA complaints and initiated over 1,166 HIPAA compliance reviews. Settlements and civil penalties totaled $135,223,772.00. OCR has investigated complaints against many different types of entities, including national pharmacy chains, major medical centers and group health plans.

The Administrative Simplification Rule

The HIPAA Administrative Simplification Rule requires healthcare organizations to adopt national standards for transactions involving electronic data interchange (EDI).

  • Operating rules: Operating rules specify the information that must be included when conducting standard transactions, making it easier for providers to handle administrative transactions electronically.
  • Transactions and Codes Set Standards: This requires entities that transfer health care information to use a standard code for diagnoses and procedures.
  • Unique Identifier Standards for Employers and Providers:
    • Requires employers to use a standard Employer Identification Number (EIN) in transactions
    • Requires healthcare providers to use a National Provider Identifier (NPI) in transactions

Who is Subject to HIPAA Regulations?

Covered entities — entities subject to HIPAA compliance — typically include the following individuals and organizations:

  • Healthcare providers. This includes individual doctors, nurses, surgeons, and anyone working in a healthcare facility or private office. It also includes healthcare organizations and hospitals.
  • People who process or store health data. Anyone who works with private health data is considered a “covered entity,” including individuals working in claims and benefits departments, referral authorization requests and even web hosts storing data or hosting applications used by healthcare providers.
  • Insurance companies. Any company that pays for a person’s medical care or prescriptions is subject to the HIPAA Privacy Rule. Medicare and Medicaid are covered entities, along with companies that handle dental insurance payments, vision care payments and discount prescription drug programs. Also included are certain group health insurance plans with 50 or more participants.

A Note about “Business Associates” Under HIPAA

You might be thinking: My organization has nothing to do with PHI. But are you a “business associate”? That’s defined as a person or entity that performs certain functions or activities that involve PHI on behalf of, or provides services to, a covered entity. Business associates might be performing:

  • claims processing or administration
  • data analysis, processing or administration
  • utilization review
  • quality assurance
  • billing
  • benefit management
  • practice management
  • repricing

Business associates include, for example:

  • A third-party administrator that assists a health plan with claims processing
  • A CPA firm whose accounting services to a health care provider involve access to PHI
  • An attorney whose legal services to a health plan involve access to PHI
  • A consultant that performs utilization reviews for a hospital
  • A pharmacy benefits manager that manages a health plan’s pharmacist network

In order for a covered entity to be legally allowed to work with a business associate, the two parties must sign a contract, often called a “business associate agreement,” containing certain specified elements under HIPAA. For example, any contract with business associates should:

  • Describe the permitted and required uses of PHI by the business associates.
  • Provide that the business associates will not use or further disclose the PHI other than as permitted or required by the contract or by law.
  • Require the business associates to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract.

HIPAA Audits Today

HHS is required to periodically audit covered entities and business associates for their compliance with the HIPAA Privacy, Security and Breach Notification Rules. Today, a HIPAA audit can be triggered by a consumer complaint, a self-reported breach, or just a random pick by OCR.

HIPAA has a comprehensive list of questions their audits can cover, organized by rules and regulatory provisions. The questions address separately the elements of privacy, security, and breach notification. HIPAA audits assess compliance with selected requirements and may vary based on the type of covered entity or business associates selected for review.

Who Can OCR Select for a HIPAA Audit?

Any covered entity and business associate can be selected for a HIPAA audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities.

The Audit Pool

OCR sends a questionnaire designed to gather data about the size, type, and operations of potential auditees to covered entities and business associates. Entities are also asked to identify their business associates. The data is used with other information to develop pools of potential auditees for the purpose of making audit subject selections. OCR then chooses auditees through random sampling of the audit pool.
If an entity fails to respond to the questionnaire, OCR will use publicly available information about the entity to create its audit pool. Not responding to the questionnaire won’t necessarily stop OCR from selecting the entity for a HIPAA audit.

The HIPAA Audit Process

In a HIPAA audit, OCR typically conducts a review of an entity’s policies, procedures, and practices related to HIPAA compliance, including the administrative, physical and technical safeguards that have been implemented to protect PHI and e-PHI. Audits examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules or may examine a broader scope of requirements.

Entities selected for audit are sent a questionnaire and are asked to provide documents and other data. These entities submit documents online through a secure portal. Auditors review documentation and then develop and share draft findings with the entity. Auditees have the opportunity to respond to draft findings, and their responses are included in the final audit report. The final audit report describes how the audit was conducted, discusses any findings, and contains the entity’s response to the draft findings.

There’s no set rule as to how long a HIPAA audit can take.

How Likely Are You to Be the Subject of a HIPAA Audit

There’s no way to know. Audits can be triggered by patient complaints or an entity self-reporting a breach, but they can be random, as well.

How to Be Prepared for a HIPAA Audit

To ensure your organization complies with all HIPAA regulations, you need a system and strategy in place. HIPAA compliance depends on whether you’ve taken these steps:

  • Appoint a HIPAA security and privacy officer. Depending on your entity’s needs, the roles could be held by one person or two.
  • Implement policies and procedures to govern access to facilities that house information systems and e-PHI.
  • Implement physical protections to control and manage physical access to your facility.
  • Keep an inventory of your practice’s facilities that house equipment that creates, maintains, receives, and transmits e-PHI.
  • Inventory all business associate agreements, contracts, and HIPAA-related policies and procedures.
  • Encrypt all data end-to-end, including email communications, without exception.
  • Ensure all personnel adhere to strict guidelines governing PHI.
  • Implement a strict IT security policy that governs access by device, not by user.
  • Employees who could have access to PHI should be trained on the HIPAA rules. Document the training.
  • Make sure all employees know not to post about their experiences with patients on social media. Healthcare workers, including EMS workers, have been sued for social media posts that violate HIPAA.
  • Strengthen your contracts with individuals, organizations and independent contractors, binding them to operate according to your security standards.
  • Make sure all business associates and third-party vendors have been evaluated to determine whether or not they require business associate agreements.
  • Know whether you allow third-party vendors to access your information systems and/or e-PHI.
  • Record information system events, alerts, user actions, and other activities in audit logs and conduct regular reviews of such logs. This requirement under HIPAA enables entities to identify and respond to security incidents quickly.
  • Hire an outside organization to perform periodic risk assessments, to determine whether current security is adequate to pass a HIPAA compliance review and to fix any areas where PHI might be at risk.
  • Hire a provider to test vendor cybersecurity. If you’re using software provided by a third-party vendor and you handle PHI, you will be held liable for violations caused by your vendor’s security oversights. Unfortunately, third parties are the main source of all data breaches.

Beware DIY Risk Analysis and Risk Management

The OCR Phase 2 Report found that covered entities were struggling to implement the Security Rule’s requirements of risk analysis and risk management. In fact, only 14% of covered entities and 17% of business associates were “substantially fulfilling” their regulatory responsibilities to safeguard e-PHI through risk analysis activities. Entities generally failed to:

  • Identify and assess the risks to all of the e-PHI in their possession.
  • Develop and implement policies and procedures for conducting a risk analysis.
  • Identify threats and vulnerabilities, consider their potential likelihoods and impacts, and rate the risk to e-PHI.
  • Review and periodically update a risk analysis in response to changes in the environment and/or operations, security incidents, or the occurrence of a significant event.
  • Conduct risk analyses consistent with policies and procedures.

The HIPAA Compliance Checklist?

If you want a complete, bulletproof checklist of everything you need to do to pass a HIPAA audit, the closest we can come to providing that is to suggest you read the HIPAA rules, for a good night’s sleep — or else have an expert conduct that risk assessment. Then do what they tell you.

But what about third parties who are required to follow HIPAA? If risk management is that challenging (see one paragraph back), how can you make sure that your third parties are HIPAA compliant? At the very least, take these steps:

  1. Evaluate the third party’s security posture.
  2. Make the third party aware of security gaps, so that they fix them.
  3. Secure third-party interaction, especially where their security is unreliable.
  4. Continuously monitor third-party cybersecurity posture.
  5. Minimize risk based on your relationship with the third party.

Wondering how to assess third-party cybersecurity for HIPAA? Panorays can help.

You can’t take chances with your third parties. If they’re not following cybersecurity policies that meet HIPAA standards, the data you process is at risk, meaning your organization is at risk as well. You don’t want to find that out during your HIPAA compliance audit. Because if your third parties are not compliant with HIPAA, neither are you. Panorays can assess the strength of your third parties’ security posture and suggest ways to strengthen it. To get started, open your Free Account today!