Skip to main content
A Better Partnership


Mar 2008
March 04, 2008

Is There a HIPAA Audit on Your Horizon?

For years, we've known that the Department of Health and Human Services (HHS) has had the authority to conduct HIPAA compliance audits but has instead chosen to focus on responding to complaints and seeking voluntary resolutions.

Then last year, we heard that HHS was actually doing a HIPAA security audit at a hospital in Atlanta. Now, it looks as though HHS is going to be doing even more audits.

HHS has hired a private contractor to conduct HIPAA security rule compliance audits. HHS plans to target between 10 and 20 covered entities between now and September 2008 for these compliance reviews. HHS says that it will also conduct onsite investigations that may be triggered by HIPAA complaints. Following these investigations or compliance reviews, HHS may impose fines, institute corrective action plans, or take other actions.

If you'd like to get a flavor for what these compliance reviews may look like, HHS has just posted on its Web site a sample of the interview and document requests that will be sent to the targeted organizations. You can view these sample requests here.

If you haven't thought about your HIPAA policies and procedures for a while, now is a good time to revisit them. The HIPAA security rules require you to do a risk assessment periodically, and both the HIPAA security rules and privacy rules require an ongoing training program for those employees who work with medical information that is subject to HIPAA. If you are audited, expect that HHS will look for evidence that these things are happening. You might also find that your HIPAA policies and procedures need to be updated to reflect how your privacy and security practices have evolved over time.

Also, be sure to treat all complaints seriously. Even if there isn't a formal complaint filed, a verbal complaint or even an offhand remark by someone could be a signal that HIPAA policies aren't being followed. You should investigate all such issues before they escalate into a HIPAA complaint filed with HHS.

If you have any questions about HIPAA compliance, please contact a member of the Employee Benefits or Health Law teams at Warner.


NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -