HIPAA Compliance Audits Underway

So the first round of the HIPAA compliance audit program is underway. Howard Anderson, writing in HealthcareInfoSecurity.com, has a great post on what’s going on:
– 20 organizations will be hosting auditors from KPMG in the next few weeks, followed by another 130 organizations in the second phase of the audits later this year.
– The focus this year is on covered entities, not on their business associates.
– OCR is not just going after the big fish. OCR is auditing “eight health plans, two claims clearinghouses plus 10 provider organizations, including three hospitals, three physicians’ offices, and a laboratory, a dental office, a nursing/custodial facility and a pharmacy.”
– Adam Greene, the blogger who broke this news first on his blog has some interesting details about the organizations. It seems as if 6 of the 20 organizations chosen for the first audit are Level 4 entities, meaning “Small providers and community pharmacies with less than $50 million in revenue and/or assets.” This translates to 30% of the initial list.
– Notifications were sent to organizations on the 1st of December. Auditors are going out for field visits expected to last between 3-10 business days.

Having been in charge of Sarbanes Oxley audits at my last place of work, I know first hand what a flurry external audits can cause in any organization. I can only empathize with the first few organizations chosen. However, I also find OCR’s approach to the audit process to be quite wise – the post at HealthcareInfoSecurity quotes Leon Rodriguez, OCR head honcho as saying “Our first objective is not to go out there and start banging [organizations] with penalties; it’s really to take a good look at them, find out where their opportunities for improvement are and help them improve… Having said that, I think we know that there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that’s really not the primary goal of the audit program.”

Which probably is some solace for the organizations that are currently being audited. Hopefully at the end of this exercise, OCR will have a good idea of where the major weaknesses are, where it wants organizations to be at, and help them get there.

About the author


Priya Ramachandran

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.


  • There’s a film clip that’s been shown on Fox News recently of a mid-level bureaucrat in ?the EPA? who was fired a year ago after publicly comparing the approach of the Roman Empire on administrative governance of newly conquered territories to his job. He said something similar to “They would go in an crucify the first five people they found. After that, the territory would be very easy to govern for the next three years or so.”

    Good luck to the sacrificial lambs on the alter of HIPAA. The first $100,000 fine on a cardiology practice has hit the news. Not sure if that was an audit, or a targeted investigation, but it could put the guy out of business either way.

    Sadly, if the OCR does get Draconian with these HIPAA audits, the most logical response for small businesses/practices will be to drop insurers, especially the government, and return to pen, paper and cash.

  • Good extension of that story. They won’t articulate it like he did, but that is what will happen in this situation as well.

Click here to post a comment