Friday, November 13, 2015

140 Reasons You Should Be Concerned About the 2016 HIPAA Audits

Health care organizations and the 140 areas that could be checked during a HIPAA audit

Beginning early 2016, the Office of Civil Rights (OCR) will begin auditing health care organizations to check their HIPAA compliance situation. This is a new effort by OCR, with increased funding, to hold health care organizations accountable to the HIPAA Compliance Rules and Standards.

When a health care organization is audited by OCR, they will need to have documentation of their compliance in more than 140 areas of the HIPAA Compliance Rules. These areas of accountability include:

  • HIPAA Security Rule (Required and Addressable): 66 individual requirements
Health and Human Services web site describes the difference between required and addressable:
If an implementation specification is described as “required,” the specification must be implemented. The concept of "addressable implementation specifications" was developed to provide covered entities additional flexibility with respect to compliance with the security standards. In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification:
(a) implement the addressable implementation specifications;
(b) implement one or more alternative security measures to accomplish the same purpose;
(c) not implement either an addressable implementation specification or an alternative.
The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.

  • HIPAA Privacy Rule: 67 individual requirements
Requirements for compliance with the HIPAA Privacy Rules.
  • HIPAA Breach Rule: 10 individual requirements
Requirements for self-reporting when a HIPAA breach occurs.

HIPAA audits are going to happen and they are real. If your organization is not prepared to account for the 140 individual areas of accountability, then move forward and become compliant! Your organization will be held accountable for any areas of non-compliance.

It looks like OCR is beginning to take HIPAA compliance a lot more seriously and so should you. For your organization, HIPAA is an irritating nuisance, but for the individual, whose personal and private health information you have, it means so much more.

For more information on this topic, please feel free to email

Read more about upcoming HIPAA audits:

Learn more about conducting your own in-house HIPAA Security risk analysis:

Understand HIPAA Security workforce:

To subscribe to this blog, enter your email address:

Delivered by FeedBurner