HIPAA 2016: Are More Compliance Audits on the Horizon?

According to, the Department of Health and Human Services Office of Civil Rights (OCR), which is responsible for HIPAA enforcement, is taking steps to relaunch its random compliance audit program in “early 2016.”

If the OCR auditors come knocking, will you and/or your clients be ready?

What We Know:

  1. Until now, the team at OCR was stretched thin and didn’t have the resources needed to carry out the audits. Problem solved - OCR Director Jocelyn Samuels has hired FCi Federal to provide temporary staffing and support services for the audits.
  2. The majority of the audits will be "desk" or remote audits, but there will be some onsite audits as well.
  3. OCR investigators will look at key areas of HIPAA compliance, especially those problem areas pinpointed during OCR's breach investigations, such as a lack of comprehensive, timely risk assessment and mitigation.
  4. OCR is updating its HIPAA audit protocols, including its criteria and screening tools for potential audit subjects.
  5. According to Deven McGraw, OCR’s Deputy Director for Health Information Privacy, the audits will include both covered entities AND business associates of all shapes and sizes going forward.

Now that its clear that audits are on the horizon, you and your clients need to invest time in identifying and closing any HIPAA compliance gaps before an OCR investigator does it for you. According to the Department of Health and Human Services, the latter can be costly. Penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. And if that wasn’t motivation enough to get your house in order, violations can also carry criminal charges that can result in jail time.

So, it’s more important than ever for you to be equipped with the best possible backend tools and in a position to ensure that your healthcare clients meet HIPAA requirements.

Services MSPs Can Provide Healthcare Clients:

Risk Assessment: All covered entities are required to have a risk assessment performed at least once a year. You can offer a one-time, HIPAA Compliance package that includes a HIPAA risk assessment as well as documents that serve as evidence of HIPAA compliance.

Remediation Services: Organizations suffer the most audit failures by neglecting to follow-up and address problem areas detected in their comprehensive, thorough risk assessments. Help your clients prioritize the issues identified during the risk assessment and remediate the ones that carry the highest risk and highest fines.

Managed Compliance Services: Perform a HIPAA assessment at some regular interval (but no less than once a year as required by law) to ensure that the organization is not only compliant at the time of the risk assessment, but that it remains compliant at all times. After the initial assessment and remediation project is complete, you can set a schedule of periodic re-assessments to ensure continued on-going compliance.

Browse additional HIPAA material:

Continuum offers a HIPAA Assessment Tool, which allows you to expand your service portfolio, generate additional revenue and most importantly, help your clients survive an OCR audit. To learn more about this tool and how to use it to boost your bottom line, check out our recent webinar.

Mary Crogan is director of product marketing at Continuum Managed ServicesRead all of Continuum’s guest blogs here.