Results from Initial Round of HIPAA Audits Released by the OCR

Thursday, June 28, 2012

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

New information is available regarding the Office for Civil Rights’ (OCR) initial round of mandated audits of Health Insurance Portability and Accountability Act (HIPAA) covered entities. The OCR announced official details concerning the audits at an OCR and National Institute of Standards and Technology (NIST) conference held June 6, 2012.

Initial HIPAA Audits Began November 2011.

As required by the HITECH Act, the OCR began auditing selected covered entities’ compliance with the privacy and security provisions of HIPAA and its implementing regulations in November 2011. The OCR selected 150 covered entities to be audited in the pilot phase by KPMG LLP (KPMG). KPMG is the audit contractor chosen by the OCR to perform HIPAA audits. The first 20 audits concluded in March 2012. More audits will continue to occur this year.

HIPAA Audit Process.

The HIPAA audit process was drafted by the OCR and KPMG in November 2011. Entities selected for an audit receive a notification letter from OCR and are asked to provide documentation to the auditor. Every audit includes a site visit. After the site visit and initial investigation, KPMG recommends suggested modifications for the entity to meet compliance standards in a draft audit report. The entity will have an opportunity to respond to the draft audit report, citing any findings made by KPMG that may be incorrect. KPMG then summarizes final results in a final audit report. The final audit report details how the audit was conducted; what the findings were and; what actions the covered entity is taking in response to those findings.

HIPAA Audit Results.

The results of the initial round of audits revealed that small covered entities had a lot more issues than large ones. Six of the 20 audited entities were small entities (e.g., $50 million or less in revenue). However, these small entities represented 66% of the deficiency findings. Additionally, the OCR reported that health care providers had more problems than plans or clearinghouses. A disproportionate number of the deficiencies were by health care providers. While providers represented 50% of the 20 audited entities, they were responsible for 81% of the deficiency findings.

The OCR also announced that the majority of the findings were related to the Security Rule. OCR indicated that this is partially attributable to more of the audit protocol focusing on security than privacy or breach notification.

To view the OCR's presentation on HIPAA audit findings, click here.

Major Privacy and Security Issues Reported in HIPAA Audits.

The biggest privacy issues from the first round of audits involved:

  • Review process for denials of patient access to records;
  • Failure to provide appropriate patient access to records;
  • Lack of policies and procedures;
  • Uses and disclosures of decedent information;
  • Disclosures to personal representatives; and
  • Business associate contracts.

The biggest security issues from the initial HIPAA audits include:

  • User activity monitoring;
  • Contingency planning;
  • Media reuse and destruction;
  • Risk assessment; and
  • Granting and modifying user access.

Tips to Prepare for a HIPAA Audit.

Although the first round of audits has concluded, HIPAA audits will continue to be conducted through December 2012. Covered entities that avoided the first round of HIPAA audits can learn from the results released by OCR. The OCR is also expected to release an audit protocol which will further assist covered entities in learning how to prepare for a HIPAA audit. The following tips should assist covered entities in preparing for and responding to a HIPAA audit.

To see a previous blog post regarding health care audits, click here.

Before the Audit:

  • All policies and procedures required by the HIPAA Privacy, Breach Notice, and Security Rules should be finalized and regulator-ready.
  • Assign individuals in your organization that can speak to each aspect of HIPAA implementation. Be sure they are aware of questions that may be asked by the OCR concerning compliance.
  • HIPAA's Security Rule requires that covered entities periodically conduct a risk analysis.  The OCR recently released guidance on conducting such an analysis. This risk analysis guidance can be found here. The results of your risk analysis will likely be among the documents requested for review during an audit.  If you have not conducted a risk analysis in the last year, do so now. Evaluate the results and determine how to handle identified risks. Be sure to carefully document each step of the risk analysis process.
  • Train employees on compliance. Maintain documentation that every relevant employee has been trained.
  • Identify all of your vendors that handle protected health information. Negotiate business associate agreements with all such vendors.

During the Audit:

  • Respond to every notice provided by the OCR in a timely manner. All relevant personnel should receive copies of the OCR’s written notice of its intent to audit.
  • Appropriately respond to the draft audit report with any findings that you believe were unfair or inaccurate before the report is finalized. According to the OCR you should have ten days to respond.

After the Audit:

  • When audit is over, enforce compliance measures suggested by the OCR. To avoid further action taken by the OCR.
To view the HIPAA Privacy Rule, click here.
To view the HIPAA Security Regulation, click here.

Contact Health Law Attorneys Experienced in Audits of Health Providers.

The Health Law Firm represents physicians, medical practices, hospitals, and other health providers in audits, including Medicare audits, Medicaid audits, and HIPAA audits. The Health Law Firm also assists health providers in establishing compliance with HIPAA regulations. If you have received notification of an impending audit contact The Health Law Firm immediately.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at

Sources Include:

Greene, Adam H. and Rebecca L. Williams. "HIPAA Audits Results Released: We Still Have Work to Do." JD Supra. (June 13, 2012). From:

Sanches, Linda. "2012 HIPAA Privacy and Security Audits." National Institute of Standards and Technology. (June 7, 2012). From:

Saul, H. Carol. "Update on OCR HIPAA Audits." Lexology. (May 29, 2012). From:

About the Author:  George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

Tag words: Office of Civil Rights, OCR, Health Insurance Portability and Accountability Act, HIPAA, HITECH, HIPAA audits, OCR audits, HIPAA compliance, medical records, medical practice audit, records request, defense attorneys, lawyers, legal representation, audit attorneys, health care audits



Response to: Results from Initial Round of HIPAA Audits Released by the OCR
Friday, February 8, 2013
hipaacert says:

I really like your blog site and appreciate the given information about HIPAA Certification. DQS Certification is a premium Consulting, Assessment and Management Certification agency provides services for HIPAA Certification, Training, Audit, Risk Management, Contingency Planning in wordwide. You can inform us for the further posts about HIPAA Certification services and visit our official website for more information about Certification services.

Like this blog? Add your public comments:

Items in bold indicate required information.