OCR Indicates Major Increase in HIPAA Audits

by | Apr 16, 2015

The second round of HIPAA compliance audits have yet to commence, the last round was  in 2012, but they are supposedly returning and will be bigger and bolder than before.

The Department of Health and Human Services’ Office for Civil Rights (OCR) indicated to Washington-based lawyer and HIPAA expert, Adam Greene – partner of Davis Wright Termaine – that compliance enforcement is set for a major increase.

In a presentation given at HIMSS15 in Chicago on Tuesday, Greene said that there had been an increase in enforcement actions involving financial penalties in the last few years. Greene stated that there “was one or three fines levied in 2008-2011, five in 2012 and 2013 and seven last year in 2014”.

The OCR has had to take action in the face of more than 100,000 claims since it began enforcing HIPAA legislation and in the majority of cases these claims have been settled without any investigation being required. In almost a quarter of cases (24%) the Covered Entity (CE) took voluntary corrective action after areas of non-compliance were identified.

In 11% of cases the OCR found no violation and the claim proved to be unfounded, while only 23 cases lead to a violation and penalty (0%). Settlements have increased already and that trend is likely to continue in the foreseeable future.

Greene remarked that the “HHS will not be handing out violations like speeding tickets but increasing monetary fines and more fines are what he sees coming in the future.” And also stated we are “entering a new era of HIPAA enforcement”.

The OCR has been criticized for not completing the audits to date but plans are now in place and according to Greene the next set of audits will “dwarf anything seen so far” according to a report in HealthDataManagement.

There was no indication of when the OCR will be beginning the audits; although Greene said they were expected later in 2015. It has been three years since the end of the pilot phase and last year there was a delay due to web portal alterations. This year the establishing of the protocol appears to be taking some time.

While many covered bodies (CEs) are anxious about the coming audits, now is the time to ensure that all policies and procedures are in adherence and ease the stress when they do begin.

The figures from the initial round of compliance audits show that risk analyses were not so much an issue for organizations; many had simply not carried them out. The majority of those that did complete a risk analysis did not do so thoroughly and therefore did not find all security weaknesses.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy