We’ve talked about HIPAA audits before, but today, we want to go over what a HIPAA audit can actually mean for your organization. There are both positive and negative implications for the increased security around patient health information, so let’s see what exactly they are.

hipaa enforcement


As the Centers for Medicare & Medicaid Services (CMS) have implemented meaningful use, security risk analyses and updates that fall under the HIPAA security rule now meet the requirement for Stage 1 meaningful use. Killing two birds with one stone? Maybe so.


HHS previously set the cap for penalties at $25,000 for multiple violations, but have put on the pressure by raising that cap to $1.5 million per violation. Unannounced audits and unfortunate breaches (accidental or not) have cost many healthcare providers dearly. While the financial consequences are painful enough, the damage to the organization’s reputation with the public can be even tougher to overcome.

Short windows for compliance

The window an organization has to submit documentation of HIPAA privacy and security compliance is only 10 days–which means that even the best scramble will leave an unprepared organization in shambles. An organization needs up-to-date materials on business agreements, risk assessments, safeguard documentation, and employee training.

Omnibus Rule

HIPPA’s Omnibus Rule expands both the definition of a breach and the repercussions for failure to correct them. This means the number of violations can drastically increase if a provider isn’t aware of what qualifies as a data breach. This means even business associates are required to be HIPAA compliant–so be sure your procedures are clear to all third party providers as well.

HIPAA audits: The real picture

Since 2009, about 1,150 large breaches have been reported–with more than 80 million patients effected. But fining has been minimal in comparison to the scale of breaches thus far. OCR has only fined healthcare organizations 22 times.

So what does that mean for organizations preparing for HIPAA audits? A few things:

  • It appears that most organizations are able to correct their potential fines by making changes within the allowed window of time.
  • Risk assessment and constant oversight are helping organizations stay in the green.
  • Major breeches are what get organizations in big trouble–the result of careless procedures or unsuspecting employees who weren’t properly trained.
  • Early reporting means potential breaches can be mitigated.

The bottom line: Be prepared, use precaution, and stay on top of your ePHI information. If you can do those three things, you shouldn’t have much to worry about when it comes audit time.