Protect Yourself from a HIPAA Audit

June 16, 2015

When most people think “audit”, they think about the IRS. For businesses, audit is more and more frequently bringing to mind HIPAA. HIPAA has some serious risks, but if you remain compliant and up-to-date, it does not need to bring a sense of fear to you or your business.

It may seem like common sense to say the best way to avoid or successfully complete an audit is to be proactive about compliance. Audits normally arise from three sources:

  1. U.S. Department of Health and Human Services (HHS)
  2. A state attorney general
  3. Your customers and vendors (third parties)

Each of these audit sources is becoming more common.

One of the most important parts of an audit is to assess past and present compliance with HIPAA (and, where necessary, state HIPAA laws). Being able to show what you are doing to comply with HIPAA in a clearly understandable way will go a long way to a successful defense of an audit.

Once in the audit process, the auditor will be looking to assess how HIPAA impacts your business and what is being done to follow HIPAA’s requirements and restrictions. The harder the auditor has to look to ensure compliance, the more likely a violation may have occurred. This is not a direct causation, but when a business cannot properly respond to audit inquiries, it is often because the necessary steps to be in compliance have not been taken, or that the process in place needs to be reviewed and upgraded.

In addition to helping you and your business survive an audit a little easier, having a clear and active compliance initiative can also make a big difference in the event of a state-based lawsuit, which increasingly subject businesses to HIPAA standards for state claims, one of the more common HIPAA-related trends.

Contributed by Charles Russman, Bodman PLC.

View the archived webinar “HHS/OCR: Surviving a HIPAA Audit” with Charles M. Russman.