The HIPAA Audit Wake-Up Call: Is Your Practice Compliant?

April 10, 2025

 

The HIPAA Audit program is back in business. 

Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office for Civil Rights (OCR) has been able to audit practices, ensuring they follow HIPAA standards. 

While the revival of the audit program was announced last May, new information was confirmed at the latest HIPAA Summit, with 50 Covered Entities and Business Associates being selected to be audited.

This program was last active from 2016-2017, which highlighted that, unfortunately, noncompliance with HIPAA is far too common in regulated entities. In fact, only 14% of Covered Entities, like medical practices, could produce a compliant Security Risk Analysis (SRA). 

The healthcare industry is entering a new era of HIPAA compliance in the wake of the largest ever healthcare data breachNew HIPAA legislation is being reviewed and the Office of the Inspector General (OIG) is recommending stricter audit processes. With millions in fines already imposed in 2025, proactive preparation is now critical for healthcare providers and their business partners.

 

What is the Audit Program? 

The audit program was first introduced when the HITECH Act was enacted in 2009. While the majority of the investigations the OCR conducts are reactive, resulting after a patient complaint or a breach, the audit program is random. 

The OCR will thoroughly review the selected organization’s documentation and current processes as the audit program resumes. A compliant HIPAA program entails much more than training; it also requires comprehensive, continuous protocols to ensure patient data is being protected. 

The basis of a compliant practice is being able to present an SRA. As stated earlier, previous audit programs spotlighted the shortcomings of regulated entities completing this. 

The SRA is a thorough assessment of your practice. This includes reviewing the safeguards your practice currently has in place. Technical, physical, and administrative safeguards all play a role in securing Protected Health Information (PHI). 

This would include a deep dive into the technology your practice uses, the physical protections your practice might have (like alarms), and the administrative policies your practice follows. 

Completing this analysis will allow your practice to identify vulnerabilities before a breach occurs. Proactive compliance, addressing issues before they affect patients, is key to a successful practice. 

In addition to providing an SRA, practices must also prove compliance with other pillars of HIPAA compliance, such as the Right of Access (or sending requested medical records to practices in a timely manner), the Breach Notification Rule, the Privacy Rule, and more. 

After the rise in ransomware attacks in recent years, with a nearly 300% increase in ransomware-related breaches, regulated entities’ cybersecurity practices will likely be scrutinized, ensuring that those audited are aware of their technology responsibilities. 

 

What can I do? 

Your practice must be aware of HIPAA and implement the appropriate safeguards to be prepared for the possibility of an audit.

While this can be a daunting task, it is imperative for your practice to follow HIPAA compliance before a situation occurs. Thankfully, smart software can streamline and simplify HIPAA for your practice, providing a roadmap to compliance. With the right solution, your practice can see exactly what the OCR requires, which will be asked for if ever audited. 

To learn more about becoming audit-ready, schedule an educational consultation with our team of experts.

RECENT POSTS

Related posts

HIPAA Compliant Communication
Abyde News, Best Practices, HIPAA

Navigating HIPAA in the Digital Age: Patient Communication Essentials

April 2, 2025 No comments yet

April 2, 2025   When 80% of patients prefer digital communication, exploring this opportunity to better serve your patients is crucial. In the digital world, it’s easier than ever to connect with others and build relationships with others through technology. Connecting with patients via technology is simple, but practices must ensure that all communication, including emails, texts, and calls, adheres to HIPAA regulations.   What is HIPAA-Compliant Communication? HIPAA, or the Health Insurance Portability and Accountability Act, is focused on ensuring the security of patients’ Protected Health Information (PHI). PHI includes anything personally identifiable about a patient, including Social Security Numbers, full names, addresses, medical history, and more.  When communicating with a patient, it’s vital to implement the proper protocols to keep patient data safe. When patient data isn’t secured through traditional channels, using a regular phone doesn’t cut it. For instance, channels need to be encrypted, providing extra layers of protection.  Additionally, it’s important to communicate with patients using the minimum amount of information necessary for a conversation. For example, if a patient texts asking to reschedule an appointment, a practice should offer new times and not go in-depth about a patient’s medical history. Communication should remain brief and focus on justifiable reasons to talk to a patient, like scheduling, post-op instructions, and test results.  Patients need to consent to different forms of communication, like texts. The practice is responsible for receiving consent when a patient begins seeing a practice.    How can I Implement HIPAA-Compliant Communication?  An encrypted communication service is the easiest way to ensure secure communication channels. As communication with patients has become normalized in the healthcare industry, numerous organizations offer HIPAA-compliant communication systems. These systems include compliant and encrypted end-to-end phone calls, texts, and emails. Ensure these companies also do their due diligence and sign a Business Associate Agreement (BAA) with your communications provider.  Once a suitable communication system is in place, training staff on communicating effectively and safely with patients electronically is crucial. Staff should be well-versed in the proper procedures for digital patient communication. This includes understanding the Minimum Necessary standard, carefully reviewing messages before sending them to patients (especially to ensure information is being sent to the correct patient), and recognizing phishing scams to verify the authenticity of communications before responding.   What’s Next? Communicating with patients leads to a more successful practice, with higher attendance rates and more engaged patients. Digital communication is the future, and with the right tools, you can easily navigate HIPAA-compliant communication.  In addition to using digital communication systems, implementing a smart software solution is key to a compliant practice. A centralized compliance hub allows you to easily see your vulnerabilities and organize vital documentation, like BAAs with third-party vendors you may use.  Looking to learn more about how you can make your practice more efficient while still following rigorous HIPAA laws? Schedule a meeting with a compliance expert today. 

Business Associate Risk Analysis Initiative Fine
Abyde News, Business Associates, Fines, HIPAA

Business Associate Accountability: Health Fitness Corporation’s $227k HIPAA Fine

March 27, 2025 No comments yet

March 27, 2025   With over $3.5 million of fines levied against Business Associates (BAs) so far in 2025, it’s fair to say that the Office for Civil Rights (OCR) is serious about holding them accountable. These fines in 2025 serve as a reminder that BAs play a crucial role in safeguarding Protected Health Information (PHI).  The latest BA HIPAA fine was enforced on the Health Fitness Corporation, which offers wellness plans nationwide.  After a flurry of breach reports, Health Fitness Corporation found itself in the crosshairs of a HIPAA investigation. This investigation exposed some critical missteps, leading to a $227,816 settlement and a two-year Corrective Action Plan (CAP).  At the center of this fine is a missing Security Risk Analysis (SRA). The SRA is a thorough assessment that identifies the organization’s vulnerabilities.  This fine was also the fifth enforcement of the Risk Analysis Initiative, a recent program by the OCR to ensure regulated entities complied with this HIPAA requirement.  This fine not only spotlights the importance of Business Associates following HIPAA, but also for all regulated entities to be aware of the Security Risk Analysis requirement.    What Happened?  In August 2015, PHI was exposed online due to a server misconfiguration. This breach was not discovered in June 2018, with an estimated 4,000 patients impacted by this security issue.  Four breach reports describing this incident were filed from the end of 2018 into early 2019.  This led to the OCR investigating Health Fitness Corporation. It was then uncovered that the organization did not complete a thorough SRA until 2024.  The SRA is an annual requirement for every HIPAA-regulated entity. This assessment should also be completed after any breach to review and address vulnerabilities.  As a result, the wellness program organization was fined $227,816 with government monitoring for the next two years.    How to Protect Your Organization  When working with PHI, all involved parties must know their responsibilities.  For Covered Entities and Business Associates, having a Business Associate Agreement (BAA) with any third parties with access to PHI is vital. BAAs define each party’s responsibilities, creating legal liability. This required document demonstrates that each party is willing and able to take responsibility for protecting sensitive patient data. In addition to being aware of HIPAA responsibilities, ensure your organization completes an SRA annually, and anytime a breach occurs. Risks can be mitigated by being on top and informed about your organization’s vulnerabilities.  Utilizing a smart software solution can streamline these requirements. Smart solutions can streamline the SRA and any BAAs, protecting your organization. To learn more about how you can automate and streamline compliance in your practice, schedule a consultation with an expert today.

HIPAA Right of Access
Abyde News, Best Practices, HIPAA

What is Right of Access?: Understanding the HIPAA Privacy Rule

March 20, 2025 No comments yet

March 20, 2025   HIPAA is often misunderstood as only addressing the security of medical information. However, it encompasses more than that. The Health Insurance Portability & Accountability Act also defines how medical information must be shared with patients through the Privacy Rule. This highlights another key responsibility healthcare providers must be accountable for.  Alongside the Security Rule and the Breach Notification Rule, the Privacy Rule provides patients additional rights regarding how their medical records are handled.  The Privacy Rule created the Right of Access, requiring practices to provide patients with their medical records in a timely manner.  With the latest fine for HIPAA being a Right of Access violation, it’s vital for practices to be aware of this requirement and how it pertains to the care they provide.    What is Right of Access? Right of Access gives practices 30 days to fulfill a patient’s request for their records. In some situations, these thirty days can be extended to an additional 30 days, but that is the longest period of time allowed to provide a patient with their records.  This is a federal requirement, but the timeline could be even shorter depending on where the practice is located. For instance, if the practice is in California, staff must provide patients with medical records within 15 days.  Your practice can charge for medical records, but it needs to be reasonable. The Office for Civil Rights (OCR) defines this as the average cost of supplies, limited labor, and postage when providing medical records to a patient.  However, instead of calculating this cost, the OCR also suggested a flat fee not to exceed $6.50 when handling electronic records. Once again, other guidance can be levied on the state level, like California’s cap on the cost of medical records at 25¢ a page plus a reasonable clerical fee.  From the moment a practice receives a request, it must be addressed quickly. Staying on top of these requests is crucial for staying compliant and maintaining patient satisfaction.    How to Stay Compliant While this might seem simple, many practices have been fined in the past for violating this right of patients. In 2024 alone, Right of Access fines accounted for nearly $500,000. The OCR introduced a Right of Access Initiative to ensure that these patient requests are taken seriously. Many of these investigations and fines stem from patient complaints, showing the importance of complying with this HIPAA component.  Utilizing smart software solutions can assist your team in ensuring that all staff members are aware of their responsibilities when handling PHI, including the responsibility to address patient requests quickly. This empowers your team to take accountability and keep patients happy.  To learn more about how to comply with HIPAA Right of Access legislation, meet with our team of compliance experts today.