HIPAA-Covered Entities Set for Compliance Audits

by | Jun 19, 2015

A survey recently released by Healthcare Information Security Today (HIST) shows many Covered Entities (CEs) are making the same compliance errors that were uncovered during the initial phase of audits.

It has been three years since the OCR finished the pilot phase of HIPAA compliance audits. The OCR found numerous violations of all HIPAA Rules when it viewed the results, and while healthcare data security standards have improved significantly since 2012, many Covered Entities (CEs) would still fail a compliance audit.

The OCR used the results of the intitial phase to develop a protocol for phase two, and the areas that CEs struggled to put in place will be specifically tested second time around. A number of healthcare suppliers could have a rude awakening on what compliance with HIPAA really means for them.

The HIST survey showed a surprising level of confidence among covered bodies. 80% of respondents said they were happy or somewhat confident in  relation to passing a compliance audit.

The pilot round of compliance audits showed many areas where organizations were failing to comply with the HIPAA Security Rule, in particular, the requirement to complete a risk analysis. Organizations had either failed to complete a risk analysis, or failed to identify all the security vulnerabilities that were present.

The answers from those questioned on the HIST survey indicate the level of compliance has improved greatly during the past three years; however a quarter of respondents said they had not finished a risk assessment in the past 12 months. HIPAA demands that risk analyses are conducted; it is not a one time duty. No healthcare IT environment remains the same for one year, and new security weaknesses can all too easily develop. The failure to monitor for danger on an ongoing basis is a clear violation of the Security Rule.

Technologies exist to securely manage PHI, yet many organizations are failing to put those technologies to use. Data encryption is still not being utilized to secure data, even on high risk devices such as portable storage drives and laptop computers. BYOD schemes have been used, but only 50% of covered bodies insist on a secure messaging app or other form of data encryption on the devices.

The potential HIPAA breaches do not end there. The next round of compliance audits will test compliance with the HIPAA Omnibus Rule of 2013, which brought Business Associates (BAs) under the privacy and security regulations. The OCR will be auditing BAs during the second phase of audits and they too must be able to show compliance with HIPAA Rules.

Rather worryingly, even some of the fundamental HIPAA Rules are not being adhered to  according to the survey. Approximately a 25% of CEs say they have not obtained proof that their BAs have conducted a security audit and a similar percentage not having obtained a copy of their BAs security policies.

The 2015 Healthcare Information Security Today survey was carried out online and the results were compiled from almost 200 surveys completed by CISOs, CIOs and senior healthcare leaders. Surveys were submitted between December, 2014 and January, 2015. The full report can be viewed here.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy