How healthcare organizations should prepare for a HIPAA audit

Providers should accept they will be examined and have documentation ready, says Deborah Gersh.


The time to prepare for a HIPAA audit is before the notification letter of a forthcoming audit hits a provider organization’s mailbox.

Absent preparation, an entity facing an audit will have to scramble to develop policies and procedures for protecting health information, and performing that through a rush job will look exactly like a rush job to regulators.

It is much easier to expect that your organization will be audited and to have a plan in place, says Deborah Gersh, a partner and co-chair in the healthcare practice at the Ropes & Gray law firm in Chicago. “The key is to be prepared when you get that letter.”



Developing a new philosophy on dealing with breaches also will be beneficial if a breach does occur. If a laptop is stolen, don’t let people fall into the trap of thinking, “it wasn’t our fault,” Gersh counsels.

In cases in which devices are stolen, the HHS Office for Civil Rights expects healthcare organizations to file a police report; determine if the data on the device was encrypted and, if not, what data was compromised; mitigate the breach and protect affected individuals; and develop and implement an updated data protection plan.

Also See: Cardiology vendor to pay $2.5 million for HIPAA violation

Protection plans are not just about policies and procedures, but about employees understanding what specific roles they will play if a breach occurs, Gersh says.

Obviously, the chief information officer, chief information security officer and privacy officer know their overall job responsibilities, but they may not know what specific roles they must fulfill in the event of a breach. Gersh says they should be prepared to step into specific responsibilities and know the answers to the following questions:

• Who contacts the police?

• Who files a report?

• Who determines whether a portion of the system should be isolated or taken offlines?

• Who determines whether data was compromised?

• Who compiles the data to determine the affected individuals who must be notified about the breach?

If hackers infiltrate the company's IT systems, healthcare organizations should have an existing plan based in part on the nature of the breach, such as steps taken in the event of a stolen laptop or any other common type of breach and documentation of the steps taken and any related mitigation strategies, she adds.

This updated, well-documented plan will be an organization’s “lifeline of evidence” to present to OCR or the state if the organization is audited, according to Gersh. “Everyone on the team needs to know what the full game plan is.”

That plan should include increased breach and security awareness training, through which everyone in the organization is constantly aware of suspicious behavior, and knowing who the privacy and security officers are when they want to report something.

Importantly, don’t assume you’ll have up to 60 days to determine if a breach occurred, Gersh warns. That’s the federal timeline, but many states have shorter timelines, with some giving healthcare organizations only 10 business days to make a report.

What most gets organizations in trouble during a HIPAA audit is lack of documentation, which negates efforts to demonstrate that they have a coherent plan in place.

Organizations sometimes are doing the right things, such as training all employees with access to protected health information, but they don’t have any documentation of the training and materials to show regulators. And often, they don’t have documentation of any certifications of privacy and security training, even if such training was completed.

There also may not be appropriate business associate agreements in place, or the parties are not sufficiently aware of the obligations of each party. For example, are the parties aware of their respective notification and indemnification obligations under the agreements? Do those requirements differ from business associate to business associate?

But the worst things an organization can do is to not have a comprehensive risk analysis, because lacking an analysis is what gets an entity sanctioned by regulators. A comprehensive analysis can be overwhelming, but outside consultants can provide assistance.

The bottom line is to view all of the requirements, which are time-consuming and expensive, as essential activities because breaches will happen, and having meaningful policies and documentations in place will considerably ease an organization’s risk during an audit, Gersh says. “You’re going to do it one way or another.”

More for you

Loading data for hdm_tax_topic #care-team-experience...