Call:  (407) 331-6620 or (850) 439-1001
Toll-free:  (888) 331-6620 

e-book thumbnail

Seven Things To Know When You Receive A Notice Of Investigation From The Department Of Health

HIPAA Audit Defense and Risk Assessments

The Health Law Firm represents physicians, medical practices, hospitals, and other health providers in audits, including Medicare audits, Medicaid audits, and HIPAA audits. The Health Law Firm also assists health providers in establishing compliance with HIPAA regulations. If you have received notification of an impending audit contact The Health Law Firm immediately.

As required by the HITECH Act, the OCR began auditing selected covered entities’ compliance with the privacy and security provisions of HIPAA and its implementing regulations in November 2011. The OCR selected 150 covered entities to be audited in the pilot phase by KPMG LLP (KPMG). KPMG is the audit contractor chosen by the OCR to perform HIPAA audits. The first 20 audits concluded in March 2012. More audits will continue to occur this year.

HIPAA Patient Privacy Complaints.

If you are a patient with a HIPAA privacy complaint, please note: WE DO NOT REPRESENT PATIENTS ON HIPAA COMPLAINTS.

If you are a patient in FLorida who has sustained some actual damages because of a HIPAA privacy violation, please contact our colleague, Attorney Alistair McKenzie, and his firm may be able to assist you.

Whether inside the state of Florida or in any other state, you may file a HIPAA privacy complaint against a physician, hospital, medical group, or other covered entity, online here. The United States Office of Civil Rights (OCR) receives these, investigates them, and will advise you of the results.

HIPAA Audit Process.

The HIPAA audit process was drafted by the OCR and KPMG in November 2011. Entities selected for an audit receive a notification letter from OCR and are asked to provide documentation to the auditor. Every audit includes a site visit. After the site visit and initial investigation, KPMG recommends suggested modifications for the entity to meet compliance standards in a draft audit report. The entity will have an opportunity to respond to the draft audit report, citing any findings made by KPMG that may be incorrect. KPMG then summarizes final results in a final audit report. The final audit report details how the audit was conducted; what the findings were and; what actions the covered entity is taking in response to those findings.

HIPAA Risk Assessment.

The first step you should take if notified of a HIPAA breach or the possible compromise of patient health information is to conduct a risk assessment. The Health Law Firm can conduct a risk assessment for you using guidelines from the Office of Civil Rights. Often such a risk assessment will disclose that there is no further need for an audit, investigation or breach notification.

HIPAA Audit Results.

The biggest privacy issues from the first round of audits involved:

  • Review process for denials of patient access to records;
  • Failure to provide appropriate patient access to records;
  • Lack of policies and procedures;
  • Uses and disclosures of decedent information;
  • Disclosures to personal representatives; and
  • Business associate contracts.

The biggest security issues from the initial HIPAA audits include:

  • User activity monitoring;
  • Contingency planning;
  • Media reuse and destruction;
  • Risk assessment; and
  • Granting and modifying user access.

Tips to Prepare for a HIPAA Audit.

Before the Audit:

  • All policies and procedures required by the HIPAA Privacy, Breach Notice, and Security Rules should be finalized and regulator-ready.
  • Assign individuals in your organization that can speak to each aspect of HIPAA implementation. Be sure they are aware of questions that may be asked by the OCR concerning compliance.
  • HIPAA’s Security Rule requires that covered entities periodically conduct a risk analysis.  The OCR recently released guidance on conducting such an analysis. This risk analysis guidance can be found here. The results of your risk analysis will likely be among the documents requested for review during an audit.  If you have not conducted a risk analysis in the last year, do so now. Evaluate the results and determine how to handle identified risks. Be sure to carefully document each step of the risk analysis process.
  • Train employees on compliance. Maintain documentation that every relevant employee has been trained.
  • Identify all of your vendors that handle protected health information. Negotiate business associate agreements with all such vendors.

During the Audit:

  • Respond to every notice provided by the OCR in a timely manner. All relevant personnel should receive copies of the OCR’s written notice of its intent to audit.
  • Appropriately respond to the draft audit report with any findings that you believe were unfair or inaccurate before the report is finalized. According to the OCR you should have ten days to respond.

After the Audit:

  • When audit is over, enforce compliance measures suggested by the OCR. To avoid further action taken by the OCR.

Contact Health Law Attorneys Experienced in Audits of Health Providers.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at