Three steps to prepare for a HIPAA audit

How does it affect you?

  • Share
  Incident Significance HIPAA violation Penalties
Phoenix Cardiac Surgery, P.C. The physician practice was posting clinical and surgicalappointments for its patients on an Internet-based calendar that was publicly accessible Demonstrates OCR’s intent to vigorously enforce the HIPAA rules no matter the size of the covered entity
  • Failing to implement adequate policies and procedures to appropriately safeguard patient information
  • Failing to document that it trained any employees on its policies and procedures on the Privacy and Security Rules
  • Failing to identify a security official and conduct a risk analysis
  • Failing to obtain business associate agreements with Internet-based e-mail and calendar services where the provision of the service included storage of and access to its ePHI
  • $100,000 settlement
  • Corrective action plan to implement policies and procedures to safeguard the protected health information of its patients
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI) Theft of an unencrypted laptop containing the ePHI of MEEI patients and research subjects Fine of maximum penalty for “willful neglect”; agreement including mandatory corrective action plan
  • Failing to conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices
  • Failing to implement security measures sufficient to ensure the confidentiality of ePHI
  • Failing to adopt and implement policies and procedures to restrict access to ePHI to authorized users
  • Failing to adopt and implement policies and procedures to address security incidents
  • $1.5 million settlement
  • Requirement for MEEI to adhere to a corrective action plan
  • Consent to an independent monitor to conduct assessments of compliance with the corrective plan for three years
The Hospice of North Idaho (HONI) Theft of laptop computer containing unencrypted ePHI First settlement involving an ePHI breach affecting fewer than 500 individuals
  • Failure to conduct a risk analysis to safeguard ePHI
  • No policies or procedures in place to address mobile device security
$50,000 settlement

Under the new HITECH provisions, sanctions for non-compliance are substantial and include tiered fines with a potential maximum of $1.5 million per identical violation per year.

Violations and consequences

  • Civil actions are now possible

      Under the HITECH Act, State Attorneys General can now bring civil actions to enforce HIPAA. Similarly, the Department of Justice is also empowered to enforce HIPAA where criminal activity is suspected.


  • Remediation opportunity

      If an audit deficiency is discovered, CEs will have 10 days prior to finalizing the audit report to discuss concerns and describe corrective actions implemented to address issues identified.

      However, if they are not already substantially HIPAA-compliant, remediation may not be possible to avert fines or sanctions.