HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Are You Ready for a Surprise HIPAA Compliance Audit?

Surprise! You have been selected from a list of hundreds of thousands and are the proud winner of a full compliance audit. Are you prepared for a full document check and can you provide evidence of HIPAA in action at your organization?

The thought of a surprise compliance audit sends shivers down the spines’ of many a Security Officer, although ONC Chief Privacy Officer, Joy Pritts, recently provided some tips to help ease the stress of a surprise HIPAA audit and some actions to take to get compliant.

HIPAA Omnibus Rule compliance is expected to form the basis of random HIPAA audits in the near future, and many organizations are unprepared to deal with a government agency scrutinizing the minutiae of each and every document, process and procedure.

Speaking at HIMSS 2014 last month, Pritts offered help with a number of pointers to assist covered organizations focus on the most important areas of HIPAA compliance: Those which are most likely to result in an OCR fine.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Risk Assessments

The Risk assessment is the most important element of the Security Rule, and if a comprehensive check of all potential risks to PHI is not conducted, it will not be possible to determine if all risks have been effectively managed. That risk assessment must be documented, along with the methods being use to address any risks that were identified.

Pritts also provided some important tips to help organizations survive a surprise compliance audit:

Surviving a Surprise HIPAA Compliance Audit


  1. Organizations of all sizes must conduct a security (risk) assessment. Pritts said the HHS is working on guidance tailored for smaller organizations and that help on security assessments and risk analyses are available on the HHS website.
  2. Be prepared for a full document check – If selected for audit, the OCR will want to see evidence that procedures are in place to secure PHI. Documents must be provided that demonstrate this. Pritts said “Show them [the OCR auditors] you have thought about your security and have done your assessment.”
  3. Re-evaluate policies and procedures – When your organization changes, so must your policies and procedures. Compliance is a continuous process. Reassess regularly and document everything.
  4. Security Assessments must be comprehensive – Seek outside help from security experts on the safeguards than must be implemented and how you can monitor your systems and resources. Get assistance with firewalls, audit logs and other server safeguards.
  5. No service or vendor can be HIPAA compliant – Only the covered entity can be HIPAA-compliant, so any product or service which claims to offer full HIPAA-compliance cannot. It is the actions of the covered-entity that determine whether HIPAA Rules are followed.


Pritts also made a point for Security Officers, advising them not to get too caught up with the technical safeguards to protect PHI and then forget about the administrative requirements of HIPAA. Staff must be trained; they must be engaged and should adopt good practices as part of their everyday routines. With a big organizational effort accompanied by technical measures to protect data, the risk of suffering breaches will be reduced, consumer confidence will increase and the cost of a violation can be avoided.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.