How the Compliancy Group Can Help Covered Entities Pass a HIPAA Audit

The second round of HIPAA compliance audits by the Department of Health and Human Services’ Office for Civil Rights started late last year. The audit program involves desk-based audits of HIPAA-covered entities and business associates, and then a round of exhaustive audits with on-site visits. The desk audits were done, with the on-site audits temporarily stopped and likely to begin in beginning of 2018. Just a few covered entities were chosen to be audited for the second stage of compliance audits; nevertheless, covered entities which were not audited may still need to show they comply with the HIPAA Rules.

Besides the audit program, HIPAA-covered entities which had a breach of over 500 records are going to be inspected by OCR to figure out if the breach was caused by HIPAA Rules violations. OCR likewise investigates submitted complaints submitted via the HHS site.

There were no financial penalties issued during the first round of HIPAA compliance audits in 2011/2012, however it might not be the same for the second round of compliance audits. Additionally, there were more financial penalties in the last two years for violating the HIPAA Rules which were identified when complaints and breaches were investigated.

There is currently an increased risk of audit or investigation and OCR is penalizing more entities for violations. Subsequently, covered entities can no longer to take chances. A lot of healthcare companies are making use of HIPAA compliance software and getting the assistance of compliance specialists to make sure they have complete compliance programs to avert financial penalties. One example is the Imperial Valley Family Care Medical Group.

Imperial Valley Family Care Medical Group is a multi-specialty physician’s group having 16 centers distributed all over California. IVFCMG was not chosen for a desk audit, however right after the incident of laptop computer theft, OCR looked into the breach. OCR required IVFCMG to demonstrate their HIPAA Rules compliance and present documentation to prove the breach wasn’t due to the inability to adhere to HIPAA Rules.

Covered entities are afraid of a comprehensive HIPAA audit, yet when data breaches are investigated, they are also comprehensive. OCR usually necessitates substantial documentation to be presented to evaluate compliance when investigating breaches of protected health information. Regarding the case of IVFCMG, the investigation by OCR was extensive.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Replying to OCR’s numerous questions in a prompt manner was vital. IVFCMG, just like a lot of covered entities that OCR investigates or selects for an audit, should carefully respond. All questions should be answered on time and supported with relevant documentation. If HIPAA Rules aren’t adhered to strictly after experiencing a data breach, the covered entity will be fined. Just look at Presense Health which was penalized $475,000 by OCR for prospective HIPAA Breach Notification Rule violations after experiencing a breach of PHI.

Right after the breach, IVFCMG went to a third-party company for help and approached the Compliancy Group. With the company’s Breach Response Program, IVFCMG had the ability to make certain they completed all the required actions promptly, and all of those steps had proper documentation.

The Breach Response Program is a portion of the Compliancy Group’s “The Guard” HIPAA compliance software program. Compliancy Group streamlines HIPAA compliance, enabling healthcare providers to run their company with confidence at the same time satisfying all the prerequisites of the HIPAA Privacy, Security and Breach Notification Rules. The Guard utilizes the “Achieve, Illustrate, and Maintain” strategy to make sure of continuing compliance, where covered entities are advised by HIPAA compliance specialists every step of the way.

The Chief Strategic Officer of IVFCMG, Don Caudill, said that the Compliancy Group gave a complete report and documentation showing that our HIPAA compliance program adhered to the law – which really helped IVFCMG to avoid large fines. When OCR asked questions regarding another facet of HIPAA Rules, IVFCMG had responded in due time and provided the proof that it complied.

Small and medium sized HIPAA-covered entities having restricted resources to allocate to HIPAA compliance benefit greatly from using HIPAA compliance software and getting outside help from HIPAA compliance specialists.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: