What to Expect from a HIPAA Audit in 2017

Are you prepared for a HIPAA audit in 2017? Discover what will be asked by the OCR in this year's coming audits.

Accountable Staff

As we discussed in our previous article, throughout 2017, the Office for Civil Rights of the United States Department of Health & Human Services will be continuing “Phase 2” of its campaign to conduct HIPAA audits of covered entities in the healthcare industry and their business partners. The audits will analyze and assess a covered entity’s or business associate’s compliance with current HIPAA rules and regulations.

In 2016, the OCR primarily conducted desk audits of a selection of entities. However, in 2017, it will begin conducting more in-depth onsite audits of entities of various sizes and functions.

The prospect of being selected for a HIPAA audit by the OCR may be intimidating, but it doesn’t have to be.

If you prepare your organization for each step of the auditing process before you’ve even been selected, you’ll stand a much better chance of looking good in the eyes of the OCR. Plus, even if you don’t end up being selected for a HIPAA audit, your organization will still benefit from the improvements made during this preparation.

Following is a list of procedural steps the OCR will take throughout the auditing process, along with steps you can take to ensure your organization is properly prepared to be audited in the coming year.

Step 1: The OCR Makes Initial Contact

The process of a HIPAA audit begins when the OCR reaches out in order to gather more information about an organization.

Throughout 2017, the OCR will contact healthcare-related organizations (both covered entities and business associates) via email, asking them to fill out an initial pre-screening survey. Again, organizations of all sizes and functions should anticipate receiving this email.

Preparing to be Contacted by the OCR

Once you are contacted, you will have fourteen days to respond to the email by completing the survey.

Though this step is fairly straightforward, it’s vital that you check your inbox often and consistently to ensure you don’t miss this initial contact message. Take care to ensure that OSOCRAudit@hhs.gov is whitelisted by your email service to avoid having this important message be labeled as spam. Also, make sure the email address you’ve provided the OCR in the past is correct and current.

Just because there’s no guarantee that OCR will contact you doesn’t mean you shouldn’t be prepared to be audited. If you know what to expect should you be notified, you’ll be in a much better position to help the auditing process go as smoothly as possible.

(One important note: On Nov. 28, 2016, the OCR announced that hackers had begun circulating a false email from a phony email address [OSOCRAudit@hhs-gov.us] in an attempt to get victims to submit their information to a phony website [http://www.hhs-gov.us]. Be extra diligent to ensure the email you receive is from OSOCRAudit@hhs.gov, and that it directs you to https://www.hhs.gov/.)

Step 2: Responding to Initial Contact

As mentioned, once an organization receives the initial pre-screening survey from the OCR, the designee will have fourteen days to complete and return it.

This initial survey requires covered entities and business associates to answer questions and provide information regarding the organization’s:

  • Healthcare-related duties
  • Size and scope
  • Yearly revenue
  • Affiliations (i.e., partnerships that deal with Private Health Information in any capacity)
  • Use of technology with regard to PHI

After the OCR has collected surveys from all of the organizations contacted, it will then choose from a “random sampling of (the) audit pool)” to determine which of these organizations will be subject to a full onsite audit.

Note that organizations that fail to respond to the pre-screening survey may be subject to a full compliance review from the OCR – a process reserved for organizations deemed negligent in their HIPAA-related duties.

Preparing to Respond to the OCR

If your organization is contacted by the OCR and asked to complete the pre-screening survey, you’ll want to:

  • Provide accurate and current information throughout the survey. The more questions an auditor has after reading through your survey, the higher the probability of your organization being chosen for an audit.
  • Ensure your list of business associates is completely accurate. Include even the most incidental business relationships, even if the associate didn’t have access to your patients’ PHI.
  • Avoid discrepancies within the information you provide. If an auditor notices inconsistent – or, worse, contradictory – information in your survey, they will almost surely suggest your organization be subject to audit.

The quality of your response to the pre-screening questionnaire is critical. If everything is in order, you still may be chosen for a HIPAA audit. But if any issues become obvious during this pre-screening stage, you almost certainly will be targeted by the OCR for auditing (and possible sanctions if your organization is deemed negligent or otherwise non-compliant).

Step 3: An Onsite HIPAA Audit

Before diving into what to expect during an onsite HIPAA audit in 2017, let’s review what the OCR looked for last year while completing desk audits.

In 2016, the OCR selected a number of covered entities to receive a desk audit. Chosen organizations were asked to provide information regarding their policies and procedures involving patient privacy, patient access to information, and electronic data security. The OCR’s desk audit campaign was completed in December of 2016.

Now, in 2017, the OCR will begin completing onsite audits of both covered entities and business associates of these entities. All organizations that filled out the pre-screening survey are eligible to be chosen for an onsite audit – even if they underwent a desk audit in 2016.

(Note: “Onsite” does not necessarily mean auditors will physically visit a site – unless they deem it necessary to do so.)

When chosen for an onsite audit, an organization will be asked to provide information to the OCR regarding its policies and procedures and documentation proving these policies and procedures are in place. This information and documentation will be submitted through the OCR’s online portal.

An auditor from the OCR will then review the information provided, and draft a report analyzing and assessing the organization’s level of HIPAA compliance. This report will be provided to the auditee, who will then have an opportunity to respond (if they feel it necessary).

Once this process is completed, the auditor will compile a document consisting of:

  • The steps taken throughout the process
  • The findings of the audit
  • An assessment of the findings
  • The auditee’s response (if applicable)
  • The final assessment (if auditee offered response/rebuttal to initial assessment)

This will complete the onsite audit stage of the auditing process.

Preparing for an Onsite Audit

If your organization has been chosen by the OCR for an onsite HIPAA audit, it’s in your best interest to:

  • Be objective when it comes to assessing your own organization. It’s easy to overlook shortcomings when looking at your company from the inside – but doing so only does a disservice to your organization as a whole.
  • Include as much documentation as possible to support the information you provide. Much like during the pre-screening phase, the more questions an auditor has after reading your report, the harder they’re likely to come down on you.
  • If you decide to offer a rebuttal to the auditor’s initial report, be prepared to provide an abundance of proof and documentation showing an observation made by the auditor was incorrect.

It’s important to note that HIPAA audits are not meant to be a “gotcha” moment. The OCR’s purpose in completing these audits is to increase alignment between healthcare organizations and HIPAA laws and regulations. Be open and honest when completing your portion of the audit, and the next stage of the process will go much more smoothly for your organization.

Step 4: Post-Audit

Once the OCR representative completes an onsite audit, they will analyze the findings and results to determine the next step to take.

Depending on the results, the OCR may:

  • Provide suggested actions an organization should take to maintain or improve its compliance with HIPAA regulations, and to prevent potential breaches in the future.
  • Develop tools and guidance protocol to increase an organization’s ability to self-assess compliance issues.
  • Levy penalties and sanctions against the organization, depending on the level of negligence and severity of discovered protocol breaches.

Learn more about potential penalties for HIPAA violations and breaches in Staying HIPAA Compliant in 2017: What Do You Need to Know?

Preparing for the Post-Audit Stage

Once the HIPAA audit has been completed, you really only two options: comply with the OCR’s suggestions, or face the consequences of being deemed negligent.

First, take the suggestions made by the auditor seriously. Take the advice given to you as a mandate, not a suggestion. As soon as you receive the final report, start making the necessary changes to your policies and procedures to ensure you’re doing what needs to be done to improve your organization in the eyes of the OCR.

After you’ve made the proper changes to your immediate circumstances, begin planning to implement strategies to:

  • Assess your organization’s operations objectively
  • Detect warning signs of a breach as soon as possible
  • Proactively amend policies and procedures before a breach occurs in the future

The OCR is more likely than ever to penalize organizations due to negligence and major breaches of HIPAA. However, organizations that can prove they’re working toward compliance will be less likely to face sanctions than those that have been completely negligent. In other words, the more honest you are about the challenges your organization has faced in becoming HIPAA compliant, the more likely the OCR is to help you – rather than punish you.


Though not every covered entity or business associate will be targeted by the OCR in 2017, healthcare-related organizations of all types and sizes should prepare to be audited nonetheless.

If selected to be audited, it’s important to remember that the OCR wants to help your organization become better-aligned with HIPAA protocol. As long as you can show you are diligently working to improve your organization’s compliance, the OCR will only serve to help you – not penalize you.

Accountable can help your healthcare organization come into – and maintain – HIPAA compliance throughout 2017 and beyond. Check out our services, and gain confidence that – should you be chosen for an audit – you’ll have nothing to worry about.