The Department of Health and Human Services begins Phase 2 of its compliance audits, your health care organization and business partners may be audited.



msinc1Alpharetta, GA - In the wake of a continuing trend that has seen a high number of data security breaches in the health care sector as recently as last week in Ohio, the Department of Health and Human Services Office for Civil Rights (OCR) is continuing its HIPAA compliance enforcement program. Their goal is to ensure compliance with HIPAA protections which are designed to protect individuals that are so often the victims of the theft of medical records, personal information, and identities.

"Sooner or later, your health care organization will get an audit request letter from OCR. Your practice and all staff need to be in full HIPAA compliance before that letter arrives for the wellbeing of your practice’s financial health as well as your patients. OCR penalties have been $100,000+.  We’re here to answer your questions."

-Chris Jann, Medicus Solutions

OCR considers the audits to be a compliance improvement activity whose collective results will help them better understand the compliance efforts with particular HIPAA rules on a broader scale. They hope to discover best practices and processes that individual organizations are utilizing as well as reasons why data breaches are occurring so frequently so that new tools can be created to better protect patient information. So what happens if you find out that your health care organization is being audited?


What You Need To Know

Over the next few months, OCR will notify selected health care organizations and entities in writing about their selection for a desk audit. These requests will begin via email so be sure to check your spam or junk filters as this is not a request you want to miss.

In that correspondence, OCR will include a letter introducing the team, explaining the process and OCR's specific expectations for the audit. Your organization will be required to submit data and documents as requested in the OCR letter by way of a secure online submission system.

After the OCR audit team assigned to your entity reviews the documents, their auditors will provide you with a draft of their findings. It is imperative that if the findings are less than favorable that you respond as soon as possible to their findings. You only have 10 days to comply with the original document request and another 10 days after the draft of their findings are provided for you to respond to the audit team. Any response you give them will be included in the final report. Providing clarity to questions or concerns raised in the initial findings draft may prevent a broader onsite audit.

While that process is unfolding, OCR will also be reaching out to your business associates initiating a desk audit for them as well. They will also receive a final copy of the results.

These desk audits are expected to be completed by the end of 2016.


Onsite Audits

Onsite audits are desk audits on steroids. OCR representatives come to your office(s) and give a more comprehensive and thorough look at your entity’s HIPAA compliance. Should an onsite audit be requested, entities will be notified via email and the assigned auditor will look to schedule a conference to provide more information about the process and the expectations. These onsite audits can take anywhere from 3-5 days, depending on the size of your healthcare organization. These audits are far more robust than desk audits, covering a significantly wider range of HIPAA rules.

Should a serious HIPAA compliance issue be found in any of these audits, OCR may initiate a compliance review to further investigate what is going on in your healthcare organization.

OCR has no intention of making the results of these audits public, though they may be required to by way of the Freedom of Information Act.


How To Prepare Your Healthcare Organization for a possible HIPAA Audit


  • Prepare a list of each business associate you have so that they can respond to any requests sent to them regarding your entity. Part of the audit process includes your business associates providing select documentation. Be ready in advance.
  • Submit requested documents and responses to their initial findings in a timely fashion. From the day you receive the request, you only have 10 business days to respond with the requested data and documentation.


Improving HIPAA compliance of your health care organization through Medicus Solutions.

With over 20 years of experience in medical IT solutions and support, the Medicus team is uniquely equipped to help your organization fully comply with HIPAA rules and regulations. We provide your organization with top-tier services and industry-leading support. Our Medi-HIPAA Pack 1  and Medi-HIPAA Pack 2 are designed to ensure that the medical records under your care are protected from all IT-related issues and legal repercussions. We can secure your digital transmissions, encrypt your medical records, provide secure cloud hosting and much more. Read more about all of our medical IT support services.

Even if your organization is not audited this year, OCR’s plans for 2017 are unclear.  Before that letter arrives, let Medicus give you and your staff the peace of mind of knowing that their confidential and private information will not be lost on your watch.

Read more about HIPAA Privacy, Security and Breach Notification Audit Program here.


About Medicus Solutions:

Medicus Solutions, LLC ( is an Alpharetta, GA based company that specializes in providing IT management solutions to improve the efficiency, security and stability of your company's operations. Medicus offers a range of IT services that work both independently and in unison to ensure your company operates securely, seamlessly and efficiently. Featuring secure email and backup services, virtual hosting services, HIPAA-approved file encryption systems, and much more. For more information about Medicus Solutions, please call our main office in Alpharetta at 678-495-5900 or visit our website.

Medicus Solutions writes about news, technologies, and educational topics that are defining the future of health care IT solutions and security issues at its blog.


Source: Medicus Solutions, LLC


Sign up for the Medicus Mashup

Recent Posts