Skip to main navigation

Three steps to prepare for a HIPAA audit - How does it affect you - Ernst & Young - Global

Three steps to prepare for a HIPAA audit

How does it affect you?

  • Share

Violations and consequences

Covered entity Incident HIPAA violation(s) Civil money penalties
Massachusetts General Hospital Loss of PHI of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS
  • Failing to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from premises.
  • Resolution agreement with $1 million in civil penalties
  • Three-year Corrective Action Plan (CAP)
University of California at Los Angeles Health System (UCLAHS) Celebrity complainants who claimed that employees of UCLAHS repeatedly looked at their PHI without a permissible purpose
  • Failing to implement securitycontrols to reduce the risk ofimpermissible access
  • Failing to provide SecurityRule training
  • Failing to apply appropriatesanctions against workforcemembers who violated UCLAHSpolicies and procedures
  • Resolution agreement with $865,500 in civil money penalties
  • Three-year Corrective Action Plan (CAP) that begins once OCR approves the “Monitor Plan” established by UCLAHS


Initial audits will help identify industry challenges and leading practices for complying with HIPAA.

Under the new HITECH provisions, sanctions for non-compliance are substantial and include tiered fines with a potential maximum of $1.5 million per identical violation per year.

Violations and consequences

  • Civil actions are now possible

      Under the HITECH Act, State Attorneys General can now bring civil actions to enforce HIPAA. Similarly, the Department of Justice is also empowered to enforce HIPAA where criminal activity is suspected.


  • Remediation opportunity

      If an audit deficiency is discovered, CEs will have 10 days prior to finalizing the audit report to discuss concerns and describe corrective actions implemented to address issues identified.

      However, if they are not already substantially HIPAA-compliant, remediation may not be possible to avert fines or sanctions.


<< Previous | Next >>

Inside

Answers to your questions, at a glance
5: insights for executives series asks five questions to get to the core of an issue — and answers them at a glance.

Related content


Download


Contact us

  • Glen E. Day
    Senior Manager
    Advisory Services
    +1 805 778 7030

  • Reza Chapman
     Senior Manager
    Advisory Services
    +1 602 369 4952

Feedback

Back to top