Chat with us, powered by LiveChat

State Departments Conducting Audits?!?

In recent years, healthcare audits have been a trending topic within the compliance world. Following the Phase II launch of the HHS Office for Civil Rights (OCR) Audit Protocol in March 2016, many members of the healthcare community equate audits with Meaningful Use, the federal government or other large accounting firms such as Figliozzi & Company. All too often, providers assume that due to their size, they can fly under the radar…After all, why would the OCR worry about a practice with two physicians?!? Unfortunately, as several of our clients recently learned, it is not just the federal government that is checking on gaps in compliance or incentive program participation, state departments are getting in on the action too.

Earlier in the summer, one of our clients reached out as that they had received a letter from Connecticut’s Department of Social Services. The letter explained that due to ongoing program monitoring efforts, Connecticut’s Department of Social Services would be conducting a review of Connecticut Medicaid Electronic Health Record (EHR) Incentive Program payments made to participating providers. Per the notice, federal regulations governing the Medicaid EHR Incentive Program requires States to conduct post-payment reviews. Much to the shock of our client, they were informed they had been selected for a Program Year 2014 desk review and they had just five business days to submit the requested documentation in a PHI secure manner.

Naturally, receiving such a letter would invoke a certain amount of panic in anyone, especially when considering the Program Year in question was FOUR years ago. As you can imagine, a list of concerns ran through their minds: “Did we conduct a risk analysis that year?” “What if we are unable to produce all the documentation required for this audit?” “How do we best respond?” To protect our client’s privacy, we will not share the results of the audit, however, all providers should heed this cautionary tale if they have ever participated in past or current government incentive programs.

Another recent audit scenario came out of the state of Washington. This entity was audited for Meaningful Use participation as part of larger state-funded initiative for eligibility audits. In this particular case, the Core Objective 1 – Protect ePHI, passed the HIPAA Security Risk Analysis review but came up short by failing to provide evidence of re-mediating risks.

So, what’s the takeaway from these real-life examples? Regardless of whether you performed risk analyses every year for the past six years (per HIPAA Citation 45 CFR 164.316(b)(2)(i)) or not, it is never too late to get your house in order. Auditing bodies respond much better to providers who have performed at least one risk assessment at some point in their past.  The majority of settlements and fines site either failure to have completed a risk analysis OR failure to take action on high-risk findings.

The above image above shows our SRA dashboard including periodic updates showing risks that are being remedied thereby proving due-diligence in protecting electronic Protected Health Information (PHI). This approach reduces the need for frequent compliance committee meetings as all employees understand their roles and assigned work.













At HIPAA One, we are deeply experienced at responding to a vast array of industry audits (we’ve now included State Department audits to this list) and frequently step in to hold our clients’ hands through the experience. Our software for example, can be configured to launch a campaign for individuals to login and update those risks in HIPAA One.

The above image shows how to quickly get your HIPAA compliance program moving, specific to quick-add features for Reviewers. This Reviewers feature sends instructional emails to those involved to login and update any changes to the assigned tasks associated with that risk.












One of the many benefits of being a HIPAA One client is the assurance that we will stand by any HIPAA risk analysis performed using our software so your organization is not shouldering that burden alone. Contact us today for assistance with on creating a HIPAA compliance program at your workplace.


  1. This blog is very useful for us! This blog really helps us to know about healthcare audits following with Office for Civil Rights (OCR) Audit Protocol,Thanks for sharing well done.

Speak Your Mind