According to, the Department of Health and Human Services Office of Civil Rights (OCR), which is responsible for HIPAA enforcement, has launched phase two of their HIPAA Audit Program in an effort to review the policies and procedures adopted by covered entities and their business associates.

If the OCR auditors come knocking, will you and/or your clients be ready?

What We Knew in 2015:

  1. The team at OCR was stretched thin and didn’t have the resources needed to carry out the audits. Problem solved - OCR Director Jocelyn Samuels hired FCi Federal to provide temporary staffing and support services for the audits.
  2. The majority of the audits were "desk" or remote audits, but there were some onsite audits as well.
  3. OCR investigators looked at key areas of HIPAA compliance, especially those problem areas pinpointed during OCR's breach investigations, such as a lack of comprehensive, timely risk assessment and mitigation.
  4. OCR updated its HIPAA audit protocols, including its criteria and screening tools for potential audit subjects.
  5. According to Deven McGraw, OCR’s Deputy Director for Health Information Privacy, the audits included both covered entities AND business associates of all shapes and sizes.

What We Know Now:

  1. The ORC has notified 167 covered entities that they have been selected for the HIPAA audit program and that they must submit requested documentation for a remote "desk audit" within just 10 business days.
  2. The OCR desk audits will examine compliance with the HIPAA privacy, security and breach notification rules, and says it will specifically be examining documentation of compliance with only these HIPAA requirements:

    • Privacy Rule: Notice of privacy practices; provision of electronic notice; patient right to access designated record set.
    • Breach Notification Rule: Timeliness of notification and content of notification.
    • Security Rule: Security management processes, including risk analysis and risk management.
  3. Recently, the ORC has issued a $2.7 million financial penalty as part of a resolution agreement with a covered entity for two smaller breaches, and has issued guidance confirming that most ransomware attacks involving protected health information must be reported to federal regulators as breaches under HIPAA.

Now that its clear that audits are well under way, you and your clients need to invest time in identifying and closing any HIPAA compliance gaps before an OCR investigator does it for you. According to the Department of Health and Human Services, the latter can be costly. Penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. And if that wasn’t motivation enough to get your house in order, violations can also carry criminal charges that can result in jail time.

So, it’s more important than ever for you to be equipped with the best possible backend tools and in a position to ensure that your healthcare clients meet HIPAA requirements.

Services MSPs Can Provide Healthcare Clients:

Risk Assessment:

All covered entities are required to have a risk assessment performed at least once a year. You can offer a one-time, HIPAA Compliance package that includes a HIPAA risk assessment as well as documents that serve as evidence of HIPAA compliance.

Remediation Services:

Organizations suffer the most audit failures by neglecting to follow-up and address problem areas detected in their comprehensive, thorough risk assessments. Help your clients prioritize the issues identified during the risk assessment and remediate the ones that carry the highest risk and highest fines.

Managed Compliance Services:

Perform a HIPAA assessment at some regular interval (but no less than once a year as required by law) to ensure that the organization is not only compliant at the time of the risk assessment, but that it remains compliant at all times. After the initial assessment and remediation project is complete, you can set a schedule of periodic re-assessments to ensure continued on-going compliance.

Browse additional HIPAA material:

Continuum offers a HIPAA Assessment Tool, which allows you to expand your service portfolio, generate additional revenue and most importantly, help your clients survive an OCR audit.

View Continuum's Statement of Compliance!

Download HIPAA compliance eBook