Back to Newsletter

Contributed by Joanne Szupka

The U.S. Department of Health & Human Services (HHS) has begun the next phase of audits in conjunction with its review of policies and procedures implemented by covered entities (and those entities’ business associates) to meet the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification rules.


In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) mandated that HHS conduct periodic audits of both covered entities and business associates to ensure that covered entities and business associates are complying with the HIPAA Privacy, Security and Breach Notification Rules. A company’s health plan is classified as a covered entity.

There are three distinct components to these rules:

  • The Privacy Rule addresses protected health information (PHI).
  • The Security Rule addresses electronic protected health information (ePHI).
  • The Breach Notification Rule addresses providing notification following a breach
    of unsecured PHI.

Pilot Program Results

The pilot program or Phase I of the audits occurred in 2011 and 2012 and included 115 covered entities. 47 out of the 115 covered entities were health plans, which represented approximately 41 percent of the total population. No business associates were selected for an audit under the pilot program.

The findings and observations in the pilot program were divided among the three rules as follows:

  • Privacy Rule – 30 percent
  • Security Rule – 60 percent
  • Breach Notification Rule – 10 percent

Additionally, 57 percent of the health plans audited had no complete or accurate risk assessment program. While other causes were noted, the general conclusion of the Phase I audits was that non-compliance was attributed to a lack of awareness of HIPAA requirements.

Phase II

Phase II is currently on-going and will include a combination of desk and on-site audits of covered entities and their business associates. Desk audits occurred in 2016 with on-site audits scheduled for 2017. In July 2016, 167 covered entities were notified via email that they were selected for a desk audit. Under the program, a covered entity selected for a desk audit may also be eligible for selection of an on-site audit.

Each desk audit is limited to a review of seven controls and is split into two separate audits.  One audit examines the Security Rule controls while the other audit assesses compliance with the Privacy and Breach Notification Rules. If it is an on-site audit, the plan will also be evaluated against a comprehensive set of HIPAA compliance controls.

Regardless of audit location or type, a listing of documents will be requested from the entity.  These documents may include privacy policies, procedure manuals, training materials, incident response plans and risk analysis.

Best Practices

Even if your company’s health plan is not selected for a HIPAA audit, Phase II is a good reminder of the importance of regulatory audit readiness and good fiduciary practices. Being knowledgeable, proactive and prepared are key elements, in our opinion, to alleviate anxiety should your plan be picked for a regulatory exam. Below are some of the action steps that plan sponsors may want to consider for their company’s health plan(s):

  • Educate yourself on the HIPAA requirements.
  • Perform a review of the HIPAA documents to ensure that they are complete, up-to-date and readily available along with any HIPAA training and documentation of compliance with those trainings. The protocol that HIPAA auditors will use during an audit has been released (here)and indicates that, unless otherwise specified, the requested documents should be the versions in use as of the date of the audit notification/document request.
  • Inspect your company’s HIPAA Security Risk Analysis. A security risk analysis is intended to be an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI. While the security risk analysis focuses solely on ePHI, it is generally recommended that sponsors should take steps to address the security of PHI of both paper and oral form, if applicable to your company’s health plan. The Security Rule requires the security risk analysis to be documented and updated on an as-needed basis. If it has been a few years since the plan sponsor has looked at the health plan’s security risk analysis, a prudent step is to consider implementing a review.


On November 28, 2016, the HHS Office for Civil Rights (OCR) issued an alert regarding a phishing email disguised as official OCR communication that prompts recipients to click on a link regarding potential inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs recipients to a website marketing cybersecurity services. If you have received such an email or have questions whether your company has obtained official communication from OCR regarding a HIPAA audit, contact the agency at

This article originally appeared in BDO USA, LLP’s “EBP Commentator” blog (Fall 2016). Copyright © 2016 BDO USA, LLP. All rights reserved.

Back to Newsletter