Small businesses not exempt from security audits, penalties for noncompliance

Ensuring the security of protected health information (PHI) and preventing data breaches is just as important for small practices as it is for large health systems. In a Health Care Compliance Association (HCCA) webinar entitled Privacy and Security in a Rural Health Environment, presenters John DiMaggio, CEO of Blue Orange Compliance, and Rebecca Woods, Vice President and Chief Information Officer (CIO) of Porter Medical Center, reminded attendees that they should be prepared for an audit conducted by the HHS Office for Civil Rights (OCR), which will impose penalties for Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations regardless of the company’s size.

Audit risk

The OCR began performing test audits at random in 2012, and following through on the threat of actual random audits this year. In April 2016, the agency updated its audit protocol, which includes a long list of inquiries related to privacy and disclosures. These inquiries range from ensuring that security training programs are in place for employees to evaluating a health plan’s protection of genetic information to safeguard it from being used for underwriting purposes. DiMaggio noted that an organization may be taking all of the right steps to avoid breaches, but the government will not be satisfied during an audit if all of the policies are not clearly documented. This documentation also ensures that employees receive adequate training.


Woods’ chief advice for ensuring that an entity is in HIPAA compliance was to hire a third party to review all practices. She hired Blue Orange Compliance to oversee Porter Medical Center’s processes. She noted that her IT staff are not experts in compliance regulations, and that obtaining an honest outside assessment avoids conflicts and ensures that leadership is held accountable. Blue Orange Compliance assessed policies, analyzed gaps in processes, and provides advice and tools for ensuring complete compliance.