HHS launches random HIPAA audit surveys

June 25, 2015 Laura Hale Brockway

Last year, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) reported their intentions to survey a small number of health care entities and their business associates in order to select subjects for a new “random” audit.

The selection process is now underway!

OCR has begun sending pre-audit screening surveys via email to a small number of applicable entities across the state, with questions expected to focus on security risks to protected health information (PHI) and pervasive issues of non-compliance based on OCR’s 2011 and 2012 audit findings and observations.

Please note: only a small number of covered entities, less than 10%, will actually receive the survey.

It is unknown how many of those contacted will actually be selected for the audit; however, sources are projecting that approximately half of those contacted will be audited. If you receive a survey, please don’t ignore it. Respond to it as soon as possible. Failure to do so could potentially “raise a red flag” with HHS, and invite scrutiny or even an independent audit.  

If a serious compliance concern is found through an audit, OCR may initiate a full compliance review through its enforcement division that could lead to financial penalties.

The audit program is an attempt by OCR to proactively enforce, assess, and confirm HIPAA compliance efforts, and present new opportunities to “examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.” (1)

TMLT Resources

If you receive a survey, please contact Cathy Bryant in TMLT’s Product Development and Consultant Services department at cathy-bryant@tmlt.org or 512-425-5910. Cathy will do a high level review to help your Privacy Officer identify areas that may be on the audit.

If you are chosen for an audit, please contact TMLT at 800-580-8658 and ask for the Claims Department.

To help you prepare for a potential audit, TMLT offers the following table with information and solutions related to these audits.


Information or Solution


HIPAA and Texas Medical Privacy and Security require you to have updated policies and procedures.

TMLT Privacy and Security Toolkit

The TMLT toolkit guides practices with existing policies through a system-wide review and highlights which revisions may need to be made.

The toolkit also helps those practices currently developing policies and procedures to better understand HIPAA rules and Texas law. 

 The toolkit is available online.


Recent changes to the HIPAA Omnibus Rule and Texas Medical Privacy and Security laws require you to revise your Notice of Privacy Practices.






Notice of Privacy Practices (NPP)
The NPP is an important document that tells your patients how you will use and disclose their protected health information (PHI).

Changes with Omnibus require you to review and revise your NPP.

Changes to Texas law require you to notify patients if you electronically disclose PHI.

Sample NPP are available on the HHS website.

TMLT solutions are available in TMLT’s toolkit.










BAs are now held to the same requirements under HIPAA as Covered Entities (CE).

During the Random HIPAA Audit, BAs of audited CE will also be subject to an audit.

Business Associates and Business Associate Agreements

Identify all your BAs or anyone with whom you share your PHI.

Determine if you had an existing BAA with them prior to March 26, 2013. If yes, you have until September 22, 2014 to get an updated BAA signed. If not, get a BAA signed as soon as possible.

 Learn more about BAs and BAAs in TMLT’s Privacy and Security Toolkit.




TMLT can conduct a Security Risk Analysis for your practice.

The HIPAA Security Rule requires a Security Risk Analysis if you do electronic billing or have EHR. (2)



TMLT Privacy and Security Toolkit

Texas law is more stringent than Federal Law on training. TMLT’s toolkit includes “Introduction to Developing Physician Office Training.”

TMLT can develop customized training for your office.

TMLT solutions are available in TMLT’s toolkit.




TMLT Privacy and Security Toolkit

The Comparison Tool, included in the toolkit, highlights Texas and federal law differences.


For more information on TMLT’s Toolkit, risk assessments, or consulting services, please contact Stephanie Downing at 1-800-580-8658 or consultingwebmail@tmlt.org.


  1. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html

About the Author

Laura Hale Brockway is the Assistant Vice President of Marketing at TMLT. She can be reached at laura-brockway@tmlt.org.

Visit Website More Content by Laura Hale Brockway
Previous Article
Federal government expands HIPAA investigations

Beginning August 2016, the government agency in charge of investigating HIPAA violations will expand its in...

Next Article
Prepare for HIPAA audits with web-based training courses

With the OCR now conducting HIPAA audits, TMLT is encouraging policyholders to prepare their staff with web...