Health Information Management

OCR audits reveal several organizations are failing in HIPAA compliance

HIM-HIPAA Insider, August 20, 2012

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Too many healthcare organizations are receiving ­failing grades for HIPAA compliance, an analysis of OCR's first 20 initial audits reveals.

The biggest concern for Linda Sanches, OCR senior advisor and health information privacy lead for the audit program, was that some organizations have done little, if anything, to comply with HIPAA regulations.

"I was surprised to discover some entities have not put much effort into meeting their compliance responsibilities. Some had made no efforts to be in ­compliance," says Sanches, who discussed the results of those 20 ­initial audits with Briefings on HIPAA.

At the other end of the spectrum, some organizations are doing well with respect to compliance. Michael D. Ebert, national HIPAA services leader at KPMG, LLP, the company hired by OCR to conduct the audits, was surprised by how well at least one covered entity (CE) performed in the audits.

 OCR plans to conduct a total of 115 audits by the end of December. The agency will review the findings to try to identify trends. "Our goal is to survey a wide range of entities," Sanches says. And Sanches and Ebert say it is likely compliance audits will continue beyond 2012. "It is our understanding the program will continue," says Sanches.

Healthcare organizations have a common question-what is necessary for HIPAA compliance?

Sanches suggests the following five strategies as next steps for providers:

  • Conduct a robust review and assessment. "Do a risk analysis. Look at what you are doing," she says. If you have made major changes, update your policies and procedures to reflect your current operations.
  • Determine the lines of business affected by HIPAA. Many hybrid organizations exist, she says. Some ­business lines are covered by HIPAA and some are not.
  • Map the flow of PHI movement within your organization, as well as how it flows to and from third parties. (See related article on p. 8.)
  • Find all of your PHI. (See related article on p. 8.)
  • Access guidance from OCR at

Read more in the August issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular