Knock, Knock – We’re here to perform an onsite HIPAA audit.


Welcome to 2017.  If you haven't heard, the Health and Human Services Office of Civil Rights (OCR) will perform several hundred on-site HIPAA audits this year. The possibility of being selected is highly unlikely, but if you are one of the "lucky" covered entities that is audited you had better be ready - with all your ducks in a row. Current HIPAA training is only one duck, you need at least four more.  So, prepare to go duck hunting and get them in order sooner rather than later.

There are two very important issues to understand about this new process and the protocol the OCR implemented in 2016. The OCR now requires documented proof that covered entities and business associates have ...

  1. Implemented HIPAA specific Policies and Procedures (P&P) in 2016 showing a plan for risk management.
  2. Documentation, including the P&Ps and logs of HIPAA activity, in electronic format for uploading to their web site.


Don't forget the OCR expected the following for a HIPAA desk audit starting in 2015 and 2016.

  1. A current annual Security Risk Analysis (SRA) based on the OCR SRA questions and/or the NIST 800 standard.  In addition, a risk assessment that includes privacy is needed as well.
  2. Current HIPAA training that includes privacy and cyber security training for all staff with access to PHI and ePHI.

The real takeaway?  
The OCR expects to automate auditing and all covered entities and business associates will be audited by 2019.  The OCR expects covered entities and business associates to have HIPAA compliance documentation in electronic format starting in 2016.  Make sure your HIPAA report, corrective actions and logs are in electronic format and that you can show improvement in your HIPAA compliance.

Call-To-Action: If you haven't started and done all of the necessary steps to be HIPAA compliant, it's time to take action and have a Risk Assessment done immediately and make sure it's delivered and available in electronic format, preferably online.

Robert Felps
About the Author

Innovative problem solver. Robert Felps takes a holistic view of the situation, understanding the business objectives, then architects a solution that exceeds the expectations for much less than standard industry solutions would cost.

  1. Julia
    Jan 11, 2017 at 19:08

    Gosh! Where does the information about 2019 come from?

    • Robert Felps
      Jan 12, 2017 at 09:27

      We initially heard about this from one of our partner HIPAA consultants, whom heard it in a HIPAA CE session. We then heard the same info from another HIPAA consultant involved with HHS OCR audits. Recently we heard it from a HIPAA law firm. No confirmation from the OCR though, so it's worth the "ink" with which it's written. :-) But, with audit submissions now required to be electronic the electronic auditing will soon follow, then it's just how they will automate the auditing.

%d bloggers like this: