As HIPAA Audits Expand, Understand What Happens When the Feds Call

With the government shutdown over, the HHS Office for Civil Rights, among other initiatives, is back at work expanding its audit program for compliance with the HIPAA privacy and security rules.

It is a good time to look at the resolution agreements with large monetary fines and required corrective action programs that OCR has imposed on 16 organizations since 2008, with nine of them coming since 2012, including one incident that involved less than 500 affected individuals, the first significant enforcement from OCR for a case not considered a “major” breach under HIPAA.

For your consideration: 10 Data Breach Vulnerabilities Revealed

So, more audits are coming and an organization’s breach doesn’t have to be big to get a letter from OCR requesting additional information. The resolution agreements are here. Also on the site are multiple examples of other breaches that OCR has investigated that did not result in fines, and the correction actions that were required.