A new survey of medical practices and billing companies in all 50 states has found that an alarming number of them are not prepared to be HIPAA compliant. The survey included almost 1,200 respondents, 87 percent being medical practices and 13 percent billing companies. They found that:

  • 58 percent of the respondents said they had a HIPAA plan
  • 23 percent said they did not have a HIPAA plan
  • 19 percent were unsure if they had a plan
  • 66 percent of respondents were unaware of required HIPAA audits
  • Just 35 percent of them said they have conducted a HIPAA-required risk analysis
  • Only 24 percent of managers, owners, and administrators at medical practices reported that they’ve evaluated all of their Business Associate Agreements

The U.S. Department of Health and Human Services’ Office for Civil Rights is required to perform periodic HIPAA compliance audits, under the Health Information Technology for Economic and Clinical Health Act.

  • Phase 1 audits were completed in 2011 and 2012 and focused just on covered entities
  • Phase 2 audits include both covers entities and business associates and are scheduled to start at any time and will be completed by June of 2015

While complying with HIPAA regulations can be a challenge for all healthcare organizations, it’s particularly challenging for small practices with a limited amount of resources to do the research and develop the methods of addressing the regulatory requirements.


While it’s not required by law, it may be worth conducting a risk analysis of your medical practice, with the help of the risk assessment tool provided by the Office of the National Coordinator for Health Information Technology (ONC).


Phase 2 will include a combination of on-site and desk audits. The number of on-site audits is unknown, but there will be about 200 providers audited in the desk-audit process. Those practices must submit requested information electronically, according to David Holtzman, a former OCR senior adviser for health information privacy and security.


“What’s important to understand about the desk audit is there is not going to be an opportunity for a conversation, there is not going to be an opportunity for a give and take,” said Holtzman. “You are not going to have an opportunity to develop new policies and procedures or conduct a risk assessment in that short time in which you get the [audit] letter to when you must respond to the audit request.”


As such, Holtzman recommends practices be sure to have physicians and staff properly trained on HIPAA rules and that training is documented.