HIPAA Privacy, Security and Breach Notification Audits – What this means for small providers

On April 23, the HCCA 2013 Compliancy Institute released the initial overview of its Audit of HIPAA privacy, security, and breach notification compliancy. Since December of 2012, 115 performance audits of health care providers, plans, and clearinghouses have been conducted. While the number of audits is small, the results have major implications for small providers.

HIPAA Omnibus Rule requires the Department of Health and Human Services to provide periodic audits to ensure that covered entities and business associates are HIPAA compliant, specifically with regards to HIPAA Privacy and Security rules and notification standards. The process for determining entities that gets audited is random; any covered entity and business associate is liable to be audited.

The 2012 audit broke health care businesses down into four groups:

–          Level 1 Entities: Large providers and plans that extensively use HIT

–          Level 2 Entities: Large regional providers and plans that use Paper and HIT enabled workflows

–          Level 3 Entities: Smaller community providers that use mainly paper based workflows

–          Level 4 Entities: Small providers with little to no use of HIT

61 of the health care businesses audited were specifically health care providers. Business Associates were not audited in this study, but the HHS reports that after the HITECH Final Rule compliance date on September 23, 2013, any business associate will be subject to the same audit procedure as providers.

The results speak outstandingly in support of the need for better understanding of HIPAA regulation, particularly among smaller providers. Of the entire sample including small and large providers, plans, and clearinghouses, only 11% were completely compliant. The remaining 89% suffered from non-compliancy in the areas of privacy, security rules, and notification standards. Linda Sanches, MPH, reports that in particular “smaller, level 4 entities struggle with all three areas.”

Looking at the security rule specifically, a reported 58 out of 59 healthcare providers had at least one security rule violation. The main reason for this would appear to be lack of knowledge – according to the report the most common cause of the violations across all entities was that the entity was unaware of the requirement.

So, what does this mean for small providers? Here are the three main takeaways:

  • Size does not matter: Small providers are just as liable to be audited and found non-compliant as larger organizations. And frequently, small providers are actually more likely to have trouble with compliance. No more pretending people will ignore your practice because it is local!


  • Focus on the big three: Privacy, Security, and Notification, that is. Small providers in particular struggled with meeting expectations and requirements in all three of these areas. If this continues, many small practices will endanger the future of their business.


  • Education is key: the most common cause of violations is that people are not aware they are violations in the first place. This is easy to fix, especially through HIPAA consultations. So get to work now, and figure out what your practice needs to do before the most recent HIPAA rulings go into effect in September!

EMRSoap provides HIPAA compliance and Healthcare Information Technology consulting for small to medium size practices. To learn more about becoming HIPAA compliant, go to our HIPAA primer for small providers, or contact us today.

Posted in Blog, EMRSOAP Services, News and tagged , , . Bookmark the permalink.

Comments are closed.