Business Associate HIPAA Audits Now Imminent

The business associate HIPAA audits are scheduled to commence this month, The business associate HIPAA compliance audits are not expected to result in punitive action being taken if HIPAA violations are discovered. The audits provide a snapshot of the state of compliance and are intended to identify common compliance issues which will be used to direct future guidance.

OCR may prefer to resolve noncompliance with voluntary actions and technical guidance. However, if serious violations of HIPAA Rules are discovered, OCR is unlikely to turn a blind eye. In addition to the desk audits OCR will also be conducting a round of full compliance audits. Non-compliance with HIPAA Rules could trigger a full compliance review and punitive action cannot be ruled out.

As we have already seen this year, OCR will resort to punitive measures against business associates if serious compliance issues are discovered.   This year, OCR entered into a settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) after serious violations of HIPAA Rules were discovered while investigating a series of privacy breaches that affected 412 individuals. In that case, a settlement of $650,000 was agreed with OCR to resolve potential violations of the HIPAA Security Rule. CHCS had failed to conduct a thorough organization-wide risk assessment and had failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to ePHI.

The penalties for non-compliance can be severe. Civil monetary penalties range from $100 to $50,000 per violation or per healthcare record, rising to a maximum of $1.5 million per violation category. The maximum fine could be multiplied by the number of years that the violation was allowed to persist. Multi-million dollar penalties are possible if widespread non-compliance is discovered.

OCR has already formed the pool of business associates from which 40-50 business associates will be selected for a desk audit. Notification emails will be sent to business associates without warning. Entities selected for audit will be required to submit all requested documentation within ten days of receiving notification of selection. The Business associate HIPAA audits are now just a few days away. Business associates should therefore get prepared and ensure that all HIPAA documentation is in place.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of