Being Prepared for a HIPAA Audit

May 4, 2020

The Office of Civil Rights (OCR) periodically audits covered entities (i.e. health plans, health care clearinghouses, and health care providers) to ensure compliance with HIPAA’s regulations.  HIPAA audit or investigation penalties for noncompliance can amount to millions of dollars depending on the level of negligence. Although, HIPAA regulations are overwhelming to many, OCR does provide its audit protocol which can be used as a guideline to assess the potential areas OCR may look for during an audit and includes information on what HIPAA regulations require for compliance. Group health plan sponsors should use OCR’s audit protocol as a guide & take steps to prepare themselves. 


1.    Designate & train (different roles but may be the same individual for all three functions):

  • a. HIPAA privacy office

  • b. A contact person for receiving complaints & answering employee questions

  • c. A  HIPAA security officer (technology)

2.    Identify areas of risk through an assessment – e.g. identify and review how the group health plan uses and discloses PHI, what individuals or departments have access, how is PHI access  limited, assess vulnerability to where electronic PHI is stored; received,

maintained or transmitted

3.    Develop written policies & procedures* implementing appropriate administrative and safeguards to protect the privacy of PHI

4.    Roll-out the program & document training to all participants of its workforce with access to PHI

5.    Re-evaluate program annually

*Examples of written policies & procedures needed include but are not limited to:

  • Procedures to reasonably ensure only the minimum necessary PHI to complete a task and only those who need PHI to perform their functions for the group health plan have access to the information.

  • Procedure to distribute HIPAA Notice of Privacy Practices reminder to participants enrolled in the group health plan and at a minimum every 3 years

  • Procedure to identify current and future business associates and ensure Business Associate Agreement (BAA) is in place

  • Process to allow employees to inspect, receive a copy, request amendments to or restrict uses and disclosures of their PHI

  • Complaint procedures if the employee believes their privacy rights have been violated

  • Procedure to mitigate risk if a violation of HIPAA policies & procedures occurs and consequences to an employee who used or disclosed PHI inappropriately

HIPAA requires covered entities and persons or entities who create, receive or maintain protected health information (PHI) on behalf of a covered entity (i.e. business associates) to implement privacy and security policies and procedures to protect individually identifiable health information. 

A covered entity at a minimum should review its policies when changes are made to HIPAA regulations when business processes change, different technology implemented, or new state laws are passed.  It’s also imperative for an organization to review its policies if they experience a data breach or security violation and HIPAA requires a risk assessment be performed. Failure to perform an assessment may be considered “willful neglect”, which is subject to the highest monetary fines. 

The best way to prevent a breach or come away from a HIPAA audit successfully is for covered entities to understand the privacy and security rules defined by HIPAA, demonstrate compliance and comply with HIPAA’s regulations.   


Disclaimer: This blog was written by Michelle Turner, MBA, Compliance Consultant, Alera Group Central Region. This blog post intends to provide general information regarding the status of, and/or potential concerns related to, current employer HR & benefits issues. This blog should not be construed as, nor is it intended to provide, legal advice. The opinions expressed herein are based upon the author’s experience as a Compliance Consultant and may not reflect the opinions of your counsel. 

Current as of 5/4/20

The information contained herein should be understood to be general insurance brokerage information only and does not constitute advice for any particular situation or fact pattern and cannot be relied upon as such.  Statements concerning financial, regulatory or legal matters are based on general observations as an insurance broker and may not be relied upon as financial, regulatory or legal advice.  This document is owned by Alera Group, Inc., and its contents may not be reproduced, in whole or in part, without the written permission of Alera Group, Inc.