In a single sentence in The HITECH Act at section 13411, the stature requires HHS perform periodic audits of covered entity and business associate with respect to compliance with the HIPAA Privacy and Security Rules and the related Breach Notification Rule (altogether, “the Rules”).  The first 115 audits will be complete by the end of 2012.  Here’s today’s big tip – Learn about the form used to receive management comments on findings and recommendations!


Sample Notification of Findings and Recommendations Form from OCR HIPAA Audits

Due Diligence Mitigates Liability Exposure Under HIPAA and the HITECH Act

The exact language in Section 13411 of The HITECH Act is:

The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.

When conducting the OCR HIPAA Audits, the auditors use the detailed OCR Audit Protocol which includes 78 HIPAA Security Key Audit Activities, 81 HIPAA Privacy Key Audit Activities and 10 HITECH Breach Notification Key Audit Activities.  These audit activities fall under various Performance Criteria which are often simply a restatement of the relevant Standard or Implementation Specification in the regulation or more often a “copy/paste” of that Standard or Implementation Specification.

Findings from OCR HIPAA Audits

Findings take the form outlined in this example below:

  • Condition: XYZ Hospital  has not performed a risk assessment to identify risk and Vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Criteria: 164.308(a)(1)(ii)(A) – Conduct an accurate and thorough assessment of the Potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
  • Cause:  XYZ Hospital failed to ever complete a comprehensive HIPAA Security Risk Analysis.  The Risk Analysis reviewed only include XYZ’s recently installed EHR system and do not include all other information assets that create, receive, maintain or transmit ePHI.
  • Effect: The lack of a formal risk comprehensive assessment process increases the potential that vulnerabilities and risks to ePHI data are not identified and mitigated. Further, an increased risk may exist such that the physical and logical locations of ePHI, and mechanisms used to protect and monitor ePHI are not completely identified and established.
  • Recommendation: XYZ Hospital should conduct periodic risk assessments in accordance with 164.308(a)(1)(ii)(A).

Management’s Opportunity to Comment on Findings from OCR HIPAA Audits

Organizations being audited are presented with a detailed listing of all deficiencies found with details as outlined above: Condition, Criteria, Cause, Effect and Recommendation.  Upon receipt of the initial report, management must indicate a response by providing the appropriate supporting documentation within ten (10) business days from the date of this notification and indicating one of these three choices:

  • Management concurs with this finding.
  • Management does not concur with this finding.
  • Management partially concurs with this finding.

Please feel free to contact us to benefit from our expertise and help you jump-start your program.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – Do a Privacy Assessment!HIPAA Audit Tips – Notification of Findings and Recommendations (NFR) Report >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.