A HIPAA audit is a formal review conducted by the Office for Civil Rights (OCR) or a third party to ensure that covered entities and business associates comply with the Health Insurance Portability and Accountability Act (HIPAA). The audit assesses the entity's policies, procedures, and practices regarding protected health information (PHI).
Covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and business associates (organizations or individuals that handle PHI on behalf of a covered entity) are subject to HIPAA audits.
See also: The guide to HIPAA audits
HIPAA audits are generally triggered by complaints or breaches. They may also be randomly conducted by the OCR. Entities that have reported a data breach or have a history of non-compliance may be more likely to be audited.
Go deeper: What triggers a HIPAA audit?
The scope of a HIPAA audit includes privacy policies, security measures, breach notification processes, risk assessments, employee training, and documentation of compliance efforts. Auditors will also examine how PHI is stored, transmitted, and accessed.
The objectives of a HIPAA audit must be defined for each system and application in the audit.
Related: HIPAA Compliant Email: The Definitive Guide.
Organizations should conduct regular risk assessments, update and document their HIPAA policies and procedures, train employees on HIPAA compliance, maintain thorough records of compliance activities, and ensure they have a breach response plan.
Go deeper: How to prepare for a HIPAA audit
If an organization is non-compliant, the OCR may issue corrective action plans, require the implementation of additional safeguards, or impose fines. The severity of penalties depends on the extent of non-compliance and whether it was due to willful neglect or accidental.
Penalties for HIPAA non-compliance range from $100 to $50,000 per violation, with an annual maximum of $1.5 million for identical violations. Willful neglect that is not corrected can result in higher fines and even criminal charges.
The duration of a HIPAA audit can vary depending on the organization's size and the scope of the audit. Typically, audits can last anywhere from several weeks to several months.
Yes, an organization can appeal the findings of a HIPAA audit. If the entity disagrees with the findings, it may request a hearing before an administrative law judge or seek a settlement agreement with the OCR.
Learn more: Appealing the findings of a HIPAA audit
The OCR provides a range of resources, including guidance documents, training materials, and tools for conducting risk assessments. Organizations can also consult with legal experts, and HIPAA compliance consultants, or use HIPAA compliance software.
Read more: Resources to help covered entities maintain HIPAA compliance