HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits

Deven McGraw – deputy director of health information privacy at the Office for Civil Rights (OCR) – has offered some advice to covered entities ahead of the HIPAA-compliance audits which are scheduled to take place later this year.

The second round of HIPAA-compliance audits will be conducted on covered entities first, followed by business associates. OCR contacted covered entities earlier this year to verify contact information. That process is almost complete and a pool of healthcare providers, health plans, and healthcare clearinghouses will soon be finalized. OCR will select approximately 200 organizations from that pool for a desk audit.

Covered entities selected for audit will be notified and given 10 days to submit the requested documentation to the OCR. This does not give covered entities much time so it is important that preparations are made early.

In an interview with the Information Security Media Group, McGraw suggested that covered entities should start preparing now in case they are selected for a desk audit. Last month, OCR released the updated audit protocol which explains in depth which aspects of HIPAA-compliance will be assessed in coming audits.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

By studying the audit protocol, covered entities will be able to determine the documentation that they may be asked to produce. Preparing now will ensure that all documentation can be supplied within the allocated time frame.

McGraw said business associate audits could not take place at the same time as those conducted on covered entities because the information held by OCR on business associates “is not robust enough.” Covered entities will be required to supply lists of current business associates and contact information will need to be verified. Business associates therefore have more time to prepare for a compliance audit.

Two aspects of HIPAA that will be extensively audited are enterprise-wide risk assessments and policies and processes for providing patients with access to their health records. A comprehensive, enterprise-wide risk assessment is fundamental to safeguarding PHI, yet risk assessment failures have been identified during many investigations into covered entities as part of the OCR’s HIPAA enforcement activities. Risk assessment shortcomings were also uncovered during the first round of 115 HIPAA-compliance audits in 2011/2012.

McGraw says that preparing for an audit now will be beneficial for HIPAA-covered entities even if they are not selected for a desk audit or one of the full compliance audits that will follow. By studying the audit protocol and compiling documentation, organizations can assess their own compliance efforts.

In the interview, McGraw also talked about the OCR’s enforcement activities and the lessons than can be learned from the actions OCR has taken. She also providing an update on data breach trends and upcoming guidance. Upcoming guidance will be issued to clear up confusion over ransomware attacks and whether these are reportable to the OCR.


Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.