Why worry about a healthcare audit? I can give you 15 million reasons, as in the nearly $15 million in settlement payments the Office of Civil Rights (OCR) has agreed to with covered entities and their business associates during the first six months of 2016.

The federal agency charged with investigating data breaches and HIPAA violations has been busy recently. In July alone, the OCR settled with two health systems for a combined $5.5 million in the aftermath of data breaches involving a total of 13,000 patient records. It also announced the next phase of audits for 167 providers, health plans, clearinghouses and their business associates.

The OCR stated the audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits. The Health Insurance Portability and Accountability Act of 1996, or HIPAA, a law that aims to ensure the confidentiality of patient medical records, turned 20 years old this year, and its easy to lose sight of its continuing importanceunless you experience a breach of some sort.

The goal of the audits is to develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.

While the overall chances of being selected for an audit are small, the chances that your organization can be breached looms large. And if the breach affects more than 500 patient records, then your organization will face extra scrutiny because of mandatory reporting to the OCR, affected patients and local media outlets.


Breaches Are Frequent, Costly

According to the Ponemon Institutes sixth annual report on healthcare data privacy and security, the average cost of a healthcare breach is more than $2.2 million for a healthcare organization and more than $1 million for business associates. So are you listening now?

Here are some other interesting statistics from the latest survey:

  • Data breaches cost the healthcare industry $6.2 billion a year.
  • 9 in 10 surveyed healthcare organizations reported a data breach in the past two years.
  • 45% had more than five breaches during the same period.
  • The majority of breaches were for fewer than 500 records.
  • Half of breaches among healthcare respondents were the result of criminal attack, with another 13% the result of a malicious insider.
  • Business associates report 41% of breaches were caused by criminals and another 9% from malicious insiders.

The report authors summed up the threat like this: No healthcare organization, regardless of size, is immune from data breach.

Even Small Providers Need a Plan


From the largest health system to the solo practitioner, everyone needs a compliance officer whos responsible for monitoring an organizations data security and privacy. Larger organizations have dedicated positions that increasingly report to the C-suite. But even the smallest providers are using electronic health records systems, issuing electronic prescriptions using apps, working with business associates and sharing data electronically with other care partners. Risk of a breach comes with every employee and every intersection between electronic systems.

Of course, the smallest providers cant afford full-time security resources, but there are third-party resources available to help practices determine what they need, set up a plan and perform proactive monitoring that can help protect an organization in case of an audit or a breach. Think about it as life insurance for your business.

Even an unintentional breach can create a cascade of negative circumstances that can threaten your business. A breach of more than 500 records must be reported to the OCR, where it will appear on its public website. The local media must be notified, as must every patient potentially affected. The resulting negative publicity may cause care partners to lose trust and credibility in your services, resulting in the loss of reputationand business.

How Audits Can Help

If you have a disaster recovery/business continuity plan for your organization, you should have a security and privacy plan that encompasses your data. And if you dont have such a plan, you should.


The data security plan should present an overall picture of the organization from security and privacy standpoints, the potential threats and how the organization will address each of these. It will include step-by-step instructions to undertake in case of a breach or attack. It also will include specific information on training for employees and the responsibilities of any business associates that may have access to sensitive information.

And once you have a plan, it should be tested regularly and changed as needed. For privacy and security, testing the plan takes the form of a proactive audit that checks for vulnerabilities in both the physical and electronic protection of data. Increasingly, companies are looking for software that carries industry accreditation for security to provide peace of mind that stringent security protocols are in place.

In fact, the majority of data breaches (58%) are uncovered during audits and assessments. Other top reasons data breaches get uncovered are by (in order) employee detection and patient complaints. The risks of a continued breach are too great to allow it to be discovered by chance.

Clean Bill of Health

During the first round of audits by the OCR in 2012, the Utah Health Information Network (UHIN) was one of just two clearinghouses that had zero findings. UHIN officials credited an earlier Electronic Healthcare Network Accreditation Commission (EHNAC) audit for helping the company prepare. UHIN has been accredited by EHNAC since 2004.


Not all providers, clearinghouses, health plans and business associates need the in-depth auditing and accreditation services that EHNAC provides. But every healthcare entity needs a plan, because the potential consequences are too costly to ignore.

One of the July settlement actions was with Oregon Health & Science University (OHSU), which was fined $2.7 million for a series of breaches that affected more than 3,000 patients. In particular, OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. Take those patients found to be at particular risk, and the settlement cost OHSU nearly $2,000 per record.

About the author: Lee Barrett is Executive Director of the Electronic Healthcare Accreditation Commission (EHNAC) since its inception in 1993. EHNAC is nationally recognized non-profit healthcare accreditation organization. He has 10 years leading healthcare professional services organizations including PricewaterhouseCoopers, SAIC, Covansys and Virtusa. He has 13 years in senior management roles in payer organizations including: MassMutual, Connecticut Mutual, Travelers and Aetna. He has also been in senior leadership for the American Dental Association Business Enterprises Inc. (ADABEI), the for-profit, wholly owned subsidiary of the ADA, a provider organization. He has led several healthcare software/services development companies including: MBEXX, Claredi, HealthEC and others in which many he facilitated their acquisition. He has served as chairman of WEDI, and ASCX12N Insurance Subcommittee, serves on the eHi Leadership Council and DirectTrust Board and has been on a number of other industry board roles.