Tips for Surviving a Federal HIPAA Audit

Being contacted by the Department of Health and Human Services (HHS) or the Office for Civil Rights (OCR) for a HIPAA audit can be a very scary situation. The best way to survive a federal HIPAA audit is ensuring that you have the proper procedures in place every single day on the job. A single employee who is non-compliant could cost your practice a lot. 

Make Sure It’s Valid

Unfortunately, some scammers try to take advantage of practices by pretending to be OCR representatives conducting an audit and asking practices to purchase “certification” services. OCR and HHS will only make contact with your practice via email or certified letter. You always have a right to respond to ask for proof of validity, and that will not be held against you during the audit process. There is no certifying body for HIPAA compliance in existence, so any organization that approaches you claiming that they are one is lying.

Educate Your Employees

One of the best prevention strategies is educating your employees of the serious consequences of a HIPAA violation.

  • A HIPAA violation that occurs without knowledge: $100-$25,000 violation
  • A HIPAA violation due to reasonable cause: $1,000-$50,000 violation
  • A HIPAA violation due to willful neglect, but fixed within 30 days: $10,000-$50,000 violation
  • A HIPAA violation due to willful neglect that is uncorrected or corrected after 30 days: $50,000 violation

Reminding employees of the steep cost associated with each violation regularly can help to ensure compliance.

Tips for Survival

When preparing for a federal HIPAA audit, ask yourself the following:

  • Are our HIPAA policies and procedures regularly updated and effective? You should have things like a Breach Notification policy on hand and in effect.
  • Is our HIPAA training regularly updated and effective? How do we know it’s working? Every practice is required to hold HIPAA trainings for employees that are up-to-date, as well as maintain detailed records showing when employees attended the training and tests or surveys showing they understood the content.
  • Has our practice completed a risk assessment? This aspect of HIPAA often lies under the radar, but it’s a requirement as part of the HIPAA security management processes.
  • Have we had HIPAA breaches? If you have had a breach, you should make sure that all documentation has been properly completed.

Keep Your Practice HIPAA-Compliant with Vetters Enterprises

Vetters Enterprises specializes in practice management, private practice business support and revenue cycle optimization. We can perform in-depth assessments of your practice or facility and identify potential issues. Let us keep your business as healthy as you keep your patients! Give us a call at (443) 352-0088.

Leave a Reply