Now What?: Life After HIPAA’s September 23 Deadline

Now What?: Life After HIPAA’s September 23 Deadline

By David Briggs and Wayne Kinkade

If you’re like most medical practices, you’re tired of hearing about HIPAA, HITECH, and the Omnibus Rule. Most practices now have an updated business associate agreement and sent it out to a number of parties. Your notice of privacy practices is now updated and is prominently displayed in the patient intake area, and are giving it to your new patients (and for those really on top of it, you have complied with the requirement that the notice is “prominently displayed and available” on your website). Many of you have already updated your privacy policies to incorporate the changes found in the Omnibus Rule (including how you define a breach, mitigation in the event of a breach, and reporting of a breach).

So, now you can put those shiny new policies on the shelf and get back to work, right? Maybe… Before you do, the real test is being able to say that you are ready in the event the federal government decides to show up to audit your HIPAA compliance.

OCR Audit Guidelines

The Department of Health and Human Services’ (“HHS”) Office of Civil Rights (“OCR”) has the authority to audit all covered entities – and their business associates. Often, audits now occur in response to a complaint being filed or a news story describing a potential breach of PHI. However, OCR is not limited to audits resulting from complaints and has recently stepped up enforcement efforts. Those enforcement efforts have led to an unprecedented level of fines and penalties to covered entities around the country. In fact, in a recent presentation by an HHS touching on the penalties assessed last year, HHS stated that it was “happy to note” that the number of penalties this year had already reached $15.75 million. This number is likely to increase this year and continue increasing in future years as OCR looks to expand its audit program.

The good news is that the OCR has already adopted a set of so-called “audit protocols” that tell us what will be asked in the event of a HIPAA audit. Below are some of the questions contained in the audit protocol:

  1. What written policies do you have in place regarding the access to PHI? Do the policies address practice staff – including a limitation on staff viewing PHI only as is necessary? Do you have a written policy that covers release of PHI to other entities involved in the treatment, payment, or health care operations? To family? Friends? Other entities?
  2. Do you conduct periodic reviews of security policies and procedures? Do you update your security policies as a result? Train your employees on those changes?
  3. What policies are in place for identifying, responding to, reporting and mitigating security incidents? Do you keep a log of those incidents, responses, and efforts to mitigate?
  4. What policies are in place to determine whether a breach has occurred? Do those policies take into account your efforts to mitigate?
  5. Do you report all breaches to HHS within 60 days of the end of the year?
  6. Do you have a process in place to determine the need to disclose PHI for the purpose of workers’ compensation?
  7. What policies and procedures are in place to verify the identity of the individuals who request PHI?
  8. Do you have a policy requiring that documentation of privacy practices be maintained for at least six years?
  9. If you de-identify data, do you have a process established for that de-identification? What content is included? Is there any level of review?
  10. How much training have you done on all of the items listed above? How have you documented that training?

But Wait, There’s More

So, you’ve checked off all the questions listed above? That means you’re off to a good start. These questions are just some of the 170 different areas of inquiry that OCR would make during an audit. If you’d like to see the full list of audit questions, you can go to and do to the health law industry section or contact David or Wayne (contact information below).

Penalties for Failure to Comply

So, what happens if you missed the September 23, 2013 deadline or if your practice is not in compliance? Of course, compliance is better late than never. If you are out of compliance, HHS has the power to assess monetary penalties and require corrective action plans not only for your violations, but also for violations by your business associates!

The amount of the penalties can range from $100 to $50,000 for each violation. HHS takes into account a number of factors in determining the amount of the penalty, including: the nature of the violation; the number of individuals affected; the time period of the violation; what the covered entity knew or should have known; and the extent of the harm resulting from the violation.

No doubt, the sooner your HIPAA policies and procedures are in compliance, the better off you will be in the event of an audit.


HIPAA compliance is not a get-the-policies-and-put-them-on-the-shelf kind of program. OCR expects you to perform a periodic risk analysis, to audit your systems and access and to be proactive in your efforts to avoid a privacy breach. They expect that your Privacy Rule and Breach Notification policies have been updated to track the recent changes to federal law. They want to see you regularly evaluating your policies with respect to changes in technology and providing your staff periodic training.

If you need help with any of these issues, please contact Wayne ( or David ( at Saalfeld Griggs.