Preparing for HIPAA Compliance Audits

The Department of Health and Human Services (HHS), through Office of Civil Rights (OCR), issued the final rule modifying HIPAA, HITECH, and GINA to strengthen the privacy and security protection for individuals’ health information, modify the rule for Breach Notification, strengthen the privacy protections for genetic information and make certain other modifications to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities. 

Final Rule: Effective March 26, 2013

Major Final Modifications:

  1.    HIPAA Privacy and Security
    a.   Business associates (BA) are directly liable for compliance
    b.   Use and disclosure of PHI for marketing and fundraising purposes are more limited, and sale of PHI without individual authorization is prohibited
    c.   Individuals have expanded rights to receive electronic copies of their health information in the form they request and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full

Action Item:  Covered Entities (CEs’) and Business Associates (BAs’) must modify and redistribute their notices of privacy practices.


2.   HIPAA Enforcement Rule:  HITECH’s increased and tiered civil money penalty structure is incorporated
3.   Breach:  Replaces “harm” threshold with more objective standard and supplants interim final rule
a.   Impermissible use or disclosure of protected health information is presumed to be a breach unless CE or BA demonstrates that there is a low probability that the protected health information has been compromised

Note: CEs and Bas have the burden of proof to demonstrate that all notifications were provided or that impermissible use of disclosure did not constitute a breach (such as by demonstrating through a risk assessment that there was a low probability that the protected health information (PHI) had been compromised) and must maintain documentation sufficient to meet that burden of proof.

4. Instead of assessing the risk of harm to the individual, CEs and Bas must assess the probability that PHI has been compromised based on a risk assessment that considers at the least the following factors:
                                         i.    The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
                                        ii.    The unauthorized person who used the protected health information or to whom the disclosure was made
                                       iii.    Whether the protected health information was actually acquired or viewed and
                                   iv.    The extent to which the risk to the PHI has been mitigated

If you don’t have the latest HIPAA manual, you can order an updated manual from Optometric Business Solutions (OBS) at Make sure you state that you are a TSO office to receive your discount. 

Contact Ann Deen at with questions relating to HIPAA audits.