01/08/2018 Richard B. Willner, DPM
The HIPAA Audit
One of the byproducts of the passage of the
HITECH ACT as part of the ARRA was the mandatory
HIPAA Audit with mandatory fines. The passage of
these laws were delayed to give time to
understand the Regs and to come into compliance.
It was not until April 2010 that the Office of
Civil Rights (OCR) at the U.S. Dept. of HHS
awarded two contracts to Booz Allen Hamilton,
Inc. The first contract was for audit consulting
support to OCR to help train the auditors. The
second contract was to help OCR develop training
seminars for state atty generals on HIPAA rules
The HITECH Act is a subsection of the HIPAA of
96. HITECH Security Act part 2 strengthens many
of the rules and regs of HIPAA and can be thought
of making it stronger, especially for patient
health Information (PHI).
Prior, to HITECH, HIPAA violations were handled
with a letter. This was no big deal. HITECH
eliminated the letter. "Wilful neglect" which
includes breeches of PHI includes a penalty of
Most physicians will get a fine of upwards of
$10,000 in the real life. But, with ease it can
go much higher. Add your legal fees and this is
a Game Changer.
So, how do you get an audit?
1. Breach or complaint of a breach.
A breach of above 500 must be publicly reported.
A doctor who uses an iPhone can hit this
threshold easily. Loss of the phone will give you
great headaches unless one puts certain
precautions in place that are beyond the scope of
this Note but any 8 year old would know what to
2. A complaint by anyone. A patient. A staffer,
etc. HHS is mandated to investigate all
3. When you fill out your $44K app for economic
stimulus payments. The App will ask about
"Meaningful Use" and will ask questions about
HIPAA compliance. You sign the form and you
certify that you are HIPAA compliant and you are
expected to have the policy and procedure manuals
in place, your staffers are trained, and you have
your annual audits.
You are expected to have prevention, detection,
containment, and correction of violations.
You are expected to have background checks of
staffers. Pass codes, access rights,
identification of staffers with remotte access
and a detailed list of any terminated employees
which documented changes to protect data.
You must have a list of authentication methods
used to identify users who can access the EPHI.
You need copies of the business associate
You need to prove physical security.
You need to have encryption of EPHI
You need to prove absolutely safe transmission of
data moved from computers, to smart phones,
thumbs, wireless networks, etc.
Documentation of which Staffer has which level of
security access and which computers they can use.
Examples of training programs of staffers and
Data backup, testing, recovery. Remote security
of all kinds. Documentation appropriate to this.
The HIPAA Regs and the HITECT ACT are very hard
to read and understand. The fact that audits and
enforcements have been weak in the past means
that the Agencies will go into hyperdrive now.
Over 168 items can be looked at the audit with 25
incidents per item. The failure to comply with
the HIPAA-HITECH will be very costly.
Remember that this HIPAA Law started MILD and
then with time, it became a monster!! We have
seen the same with ObamaCare with its huge law,
and massive amount of regulations. Even Stevie
Wonder can see this.
Richard Willner, DPM, Kenner, LA
There are no more messages in this thread.