• linkedin
  • Increase Font
  • Sharebar

    Get ready for the next round of federal HIPAA audits

    With the government conducting a new round of HIPAA privacy and security audits in 2017, small medical practices need to be prepared.

    The problem is that most are not.

    In an assessment of its first round (Phase 1) of audits, the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR), which is responsible for enforcing patient privacy rules, found that many healthcare entities, including smaller practices, are having difficulty not only with implementing security technology to protect patient data, but with implementing plans and selecting personnel to manage HIPAA compliance at their practice.

    Struggling with HIPAA protocols

    In fact, 66% of entities lack complete and accurate risk assessments in a review of Phase 1 audits, according to Zinethia Clemmons, OCR’s HIPAA compliance audit program director.  

    Research from SecurityMetrics, a data security company in Orem, Utah, suggests that protecting digitized patient health information continues to be a low priority for small practices. 

    A poll of 150 healthcare professionals responsible for HIPAA compliance at organizations with fewer than 500 employees found that: 

    51% don’t test employees on HIPAA-related training;

    50% of respondents don’t know if their organizations use multi-factor authentication;

    41% don’t know how often their firewall rules are reviewed;

    27% don’t encrypt emails containing patient data; and 

    26% don’t use mobile encryption.


    There are a variety of reasons why small practices find it difficult to make their systems HIPAA-compliant. One is finding information on how to prepare. OCR and the Office of the National Coordinator for Health Information Technology (ONC) have a HIPAA Security Risk Assessment tool available online to assist small and medium-sized practices. (bit.ly/HIPAA-SRA).

    Many small practices also haven’t implemented measures to prepare for a potential HIPAA audit. In a recent study by cloud-based practice management software provider NueMD, 30% of healthcare professional said they didn’t have a compliance plan. Fifty-four percent said they did not have a security or privacy officer, and 60% were unaware of the planned increase in audits under OCR’s Phase 2 HIPAA Audit program, which began last year and is ongoing.


    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available

    Latest Tweets Follow