New Podcast Episode: How to Use AI to Future-Proof Your Business with Ed Morrissey Watch or Listen Now

October 13, 2015

HIPAA and Meaningful Use Audits Underway

If you’ve not yet completed your Security Risk Assessment, now is the time to do so, as CMS is currently conducting HIPAA Compliance audits as well as Meaningful Use audits.  Below is some pertinent information about both.


The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently sent pre-audit screening surveys to a pool of covered entities that may be selected for a second phase of audits (Phase 2 Audits) of compliance with the HIPAA Privacy, Security and Breach Notification Standards, as required by the HITECH Act.

Business Associates beware! 

Unlike the Phase 1 Audits which focused solely on covered entities, Phase 2 Audits will include both covered entities and business associates.

HIPAA Compliance Phase 2 Audit Focus Areas: 

  • PHI security and pervasive non-compliance. Based on Phase 1 Audit results, the Phase 2 Audit program will focus on areas of greater risk to the security of protected health information (PHI) and on pervasive non-compliance.  These audits will not comprise of a comprehensive review of all of the HIPAA Standards.
  • Yet to be identified best practices and vulnerabilities. In addition, OCR also intends for the Phase 2 Audits to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities.
  • Other audit goals. The OCR has intends to use the Phase 2 Audits to identify areas in which covered entities and business associates need the OCR to develop technical assistance. And, should an audit identify a serious compliance concern, the OCR may further review the organization, with the potential for civil monetary penalties.


As of April, 2012, the Centers for Medicare & Medicaid Services (CMS) reports it had distributed $4.5 billion to eligible healthcare providers and hospitals via the program designed to incent them to invest in electronic health record (EHR) technology and use it in a meaningful way.  Since 2012, CMS has been conducting post-payment audits of providers and hospitals which received EHR incentive program monies.

  • What the Meaningful Use audits entail: The audit reviews information, submitted by the incentive payment recipient, for compliance with Meaningful Use (MU) requirements for the reporting year and stage of implementation.  Initially conducted as a desk audit, if deemed necessary, it will become an on-site audit.  Important to remember is that every iteration of these requirements included the completion of a Security Risk Assessment, and the majority of entities audited during Phase 1 had not done so.
  • What are the consequences? If the audit finds that even a single requirement of the program has not been met, the recipient must return the entire incentive payment.
  • Additional consequences. If the audit determines the incentive recipients had reason to know they were not complying with the MU requirements, the payments made via the program could then be considered overpayments, which would trigger the Federal False Claims Act and possibly result in civil penalties.


  • Conduct your Security Risk Assessment as soon as possible. Both HIPAA Compliance and Meaningful Use attestation require a Security Risk Assessment, and many providers and hospitals have not yet conducted one (or have conducted only 1!).
  • Assume that you will be subject to either or both audits, and take no chances. Compliance is not optional.   The risks associated with non-compliance are too great.

Need to conduct your Security Risk Assessment?  Unsure of your compliance?
Contact an Anders advisor to discuss our Security Risk Assessment and other Compliance-related Services.

All Insights

Keep up with Anders

Want to keep up with all the latest insights from Anders? Subscribe and receive the information that matters to you.