OIG Reveals HIPAA Audit Results

The Office of Civil Rights has completed the first 20 HIPAA audits.  In this first round of audits were 8 health plans, 10 provider offices and 2 clearinghouses.  As you might expect, smaller entities had more issues than larger entities and providers are the group lagging farthest behind. 

In an effort to learn from those who were lucky enough to experience the first 20 audits, lets look at what OIG discovered about HIPAA compliance.


Healthcare provider offices had 81% of the deficiencies noted and contained both privacy and security violations.  The majority of issues identify by the audits related to the security rule.  The most common security issues identified include the lack of:

  • User activity monitoring
  • Contingency planning
  • Risk Assessment
  • Encryption


Some common privacy issues include:

  • Missing review process when patients are denied access to records
  • Failing to provide patients appropriate access to records
  • Missing policies and procedures
  • Incorrect use and disclosure of deceased individuals information
  • Missing or invalid business associate agreements
  • Problems with the Notice of Privacy Practice


OIG has stated that those entities audited in the first round will not have sanctions imposed.  There are an additional 75 audits planned in 2012 and those selected entities will be given 15 days to respond to the OIG’s request for information.


What can you do in your office to prepare? 


First step is to conduct a comprehensive review and risk assessment of your environment.  This includes an asset inventory and mapping the movement of protected health information within your organization and to external sources.  This risk analysis should be done “periodically” or at least annually.


If you have an existing HIPAA manual, review it and make sure it’s updated with the changes from HITECH.  Make sure that your manual addresses the administrative, physical and technical controls required by HIPAA.


If you are without a HIPAA manual, consider purchasing or hiring a consultant to audit your office and prepare a custom manual for you.


Train your staff on HIPAA regulations, as well as your internal policies and procedures.


For those offices participating in the Medicare EHR Incentive program, part of your attestation includes attesting to having conducted a “security risk analysis in accordance with requirements under 45 CRF 164.308(a)(1)…”.  If your office hasn’t performed a full risk analysis, your attestation may be invalid and your incentive money at risk.


Check out our archived articles for more information on HIPAA related regulations.  For assistance with any compliance related need, contact us.  We’re happy to help.