Being Prepared for a HIPAA Audit

May 4, 2020

The Office of Civil Rights (OCR) periodically audits covered entities (i.e. health plans, health care clearinghouses, and health care providers) to ensure compliance with HIPAA’s regulations.  HIPAA audit or investigation penalties for noncompliance can amount to millions of dollars depending on the level of negligence. Although, HIPAA regulations are overwhelming to many, OCR does provide its audit protocol which can be used as a guideline to assess the potential areas OCR may look for during an audit and includes information on what HIPAA regulations require for compliance. Group health plan sponsors should use OCR’s audit protocol as a guide & take steps to prepare themselves. 


1.    Designate & train (different roles but may be the same individual for all three functions):

  • a. HIPAA privacy office

  • b. A contact person for receiving complaints & answering employee questions

  • c. A  HIPAA security officer (technology)

2.    Identify areas of risk through an assessment – e.g. identify and review how the group health plan uses and discloses PHI, what individuals or departments have access, how is PHI access  limited, assess vulnerability to where electronic PHI is stored; received,

maintained or transmitted

3.    Develop written policies & procedures* implementing appropriate administrative and safeguards to protect the privacy of PHI

4.    Roll-out the program & document training to all participants of its workforce with access to PHI

5.    Re-evaluate program annually

*Examples of written policies & procedures needed include but are not limited to:

  • Procedures to reasonably ensure only the minimum necessary PHI to complete a task and only those who need PHI to perform their functions for the group health plan have access to the information.

  • Procedure to distribute HIPAA Notice of Privacy Practices reminder to participants enrolled in the group health plan and at a minimum every 3 years

  • Procedure to identify current and future business associates and ensure Business Associate Agreement (BAA) is in place

  • Process to allow employees to inspect, receive a copy, request amendments to or restrict uses and disclosures of their PHI

  • Complaint procedures if the employee believes their privacy rights have been violated

  • Procedure to mitigate risk if a violation of HIPAA policies & procedures occurs and consequences to an employee who used or disclosed PHI inappropriately

HIPAA requires covered entities and persons or entities who create, receive or maintain protected health information (PHI) on behalf of a covered entity (i.e. business associates) to implement privacy and security policies and procedures to protect individually identifiable health information. 

A covered entity at a minimum should review its policies when changes are made to HIPAA regulations when business processes change, different technology implemented, or new state laws are passed.  It’s also imperative for an organization to review its policies if they experience a data breach or security violation and HIPAA requires a risk assessment be performed. Failure to perform an assessment may be considered “willful neglect”, which is subject to the highest monetary fines. 

The best way to prevent a breach or come away from a HIPAA audit successfully is for covered entities to understand the privacy and security rules defined by HIPAA, demonstrate compliance and comply with HIPAA’s regulations.   


Disclaimer: This blog was written by Michelle Turner, MBA, Compliance Consultant, Alera Group Central Region. This blog post intends to provide general information regarding the status of, and/or potential concerns related to, current employer HR & benefits issues. This blog should not be construed as, nor is it intended to provide, legal advice. The opinions expressed herein are based upon the author’s experience as a Compliance Consultant and may not reflect the opinions of your counsel. 

Current as of 5/4/20

The information contained herein should be understood to be general insurance brokerage information only and does not constitute advice for any particular situation or fact pattern and cannot be relied upon as such.  Statements concerning financial, regulatory or legal matters are based on general observations as an insurance broker and may not be relied upon as financial, regulatory or legal advice.  This document is owned by Alera Group, Inc., and its contents may not be reproduced, in whole or in part, without the written permission of Alera Group, Inc.

The information provided in this alert is not, is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the firm, our lawyers or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. Barrow Weatherhead Lent LLP is not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions. © 2023 Barrow Weatherhead Lent LLP. All Rights Reserved.

About Alera Group 

Alera Group is an independent, national insurance and wealth services firm with more than $1.1 billion in annual revenue, offering comprehensive employee benefits, property and casualty insurance, retirement plan services and wealth services solutions to clients nationwide. By working collaboratively across specialties and geographies, Alera Group’s team of more than 4,000 professionals in more than 180 locations provides creative, competitive services that help ensure a client’s business and personal success. For more information, visit or follow us on LinkedIn.