Are you sure you are compliant?
When it comes to HIPAA compliance, nothing is ever easy. In fact, according to The Department of Human Services (HHS) in 2017 out of 36,690 investigated companies, 25,373—exactly 69% resulted in corrective action. There are several ways healthcare organizations come to be audited. The HHS could randomly select an organization or their business associates, a complaint could spark HHS to audit your company, and in most cases, a reported breach will ultimately result in the review.

Regardless of how an organization has come to be a reluctant participant of a HIPAA audit, a letter is sent by mail with instructions giving a company ten days to respond. After the response, it is time for HHS to come in and perform an audit. If you fail, there are several things that could happen; corrective action plan, federal, and state fines, or even jail time. The chart below indicates what violations result in fines or jail time.


Common Vulnerabilities 
Mistakes happen every day, however, there are certain mistakes that happen within an organization that can result in a failed HIPAA audit. One mistake is failing to perform a risk analysis; leaving organizations vulnerable to data breaches and ultimately will lead to a failed audit. The Department of Health and Human Services requires all companies who deal with protected health information (PHI) to conduct a risk analysis. According to Devon McGraw, deputy director for health information privacy for the HHS Office for Civil Rights, nearly every data breach that Health and Human Services investigates begins with an organization has failed to complete a risk analysis.

Beyond failing to perform a risk analysis, other common mistakes are not having clear business associate agreements in place. A business associate agreement (BAA) is a contract between HIPAA covered entities and business associates (BA). The contract protects PHI in accordance with HIPAA guidelines. The HHS clearly defines what constitutes as a HIPAA associate, including third-party administrators used for claims processing or independent transcriptionists.

Lastly, failing to report a breach within 60 days is yet another common mistake made by healthcare organizations. Breaches of PHI should be reported as soon as possible, and no later than 60 days after the breach is discovered. According to HIPAA, a breach is classified as any prohibited use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.

The pressures of an audit can be stressful for everyone in a given company. Many health organizations struggle to find the time to manage their cybersecurity or are limited in qualified IT staff. This is why more and more organizations are turning to third-party IT Solutions and Cybersecurity firms to assist them in achieving HIPAA compliance. The key is in strengthening your organization's cybersecurity practices, this is done by deploying prevention and detection tools; consulting with threat intelligence experts, training staff, and conducting risk assessments.