BLOG

HIPAA Compliance Audits

By Alan DeVaughan

Earlier this year, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) asked for feedback from organizations that were subjected to HIPAA compliance audits in 2016 and 2017. This survey is designed to gather information about the effect of those audits on the audited organizations and gather feedback from the organizations about the audit process. The 60-day comment period has closed so everyone is waiting to see the results of the surveys. 

While we wait, our clients are asking if this means the next round of HIPAA compliance audits is imminent. It’s hard to predict what OCR will do before the end 2024, but the survey is an indication that the audit program is being restarted after several years of dormancy. This is a sign that both covered entities and business associates can probably expect the OCR to perform random compliance audits within the next year or two. Over the last few years, OCR’s focus has primarily been on post-breach investigations and enforcing the “right of access” initiative. 

In a previous blog post, I discussed options for aligning your SOC 2 control set to the HIPAA standards. One of the first steps was performing an assessment against the HIPAA Security, Privacy, and Breach notification rules. This assessment allows you to simulate an OCR audit and determine if you have the correct policies, procedures, and controls in place to comply with the HIPAA standards. 

Our team at Meditology performs these assessments for both covered entities and business associates, no matter their size. Meditology uses the OCR’s audit protocol and can provide your organization with information about which HIPAA standards are partially- or non-compliant along with recommendations to bring those items into compliance. Our vast experience in healthcare allows us to tailor the recommendations to suit your organization’s needs and available resources. 

Even if your organization has never performed a HIPAA gap assessment, third-party audit, or other regulatory assessment, Meditology can help you figure out where to start, and we’ll be your partner throughout your journey to compliance. We’ll help you be ready in case the OCR randomly selects your organization to undergo a compliance audit. 

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them.  

Our service lines span cybersecurity certifications, security risk assessments, penetration testing, medical device security, incident response, staff augmentation, and more. Our team is run by former CISOs and privacy officers who have walked in our clients’ shoes, and our experienced consultants hold certifications spanning CISSP, CEH, CISA, HCISPP, CIPP, OSCP, HITRUST, and more. In addition, we maintain strong relationships with healthcare regulatory and standards bodies, including serving as HIPAA expert advisors to the Office for Civil Rights, providing us a uniquely thorough perspective on the healthcare cybersecurity landscape.  

Together with our sister company, CORL Technologies, we serve hundreds of leading healthcare payers, providers, and business associates across the United States. 


Alan DeVaughan is an experienced compliance and information security senior manager specializing in assisting organizations with SOC 2 readiness assessments and examinations for over 10 years. In addition to leading the firm's SOC 2 service line, he serves as a consultant team leader focused on advising healthcare clients of varying size and complexity in areas of IT, privacy, security, and compliance. Alan has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 1 / SOC 2, HIPAA, and FFIEC. With a background in network administration, he has over 25 years’ experience in information technology consulting for a wide variety of organizations and industries.  

https://www.linkedin.com/in/alandevaughan/  

Most Recent Posts
The Future of HIPAA Regulations Read More
Cloud Security Risk Assessments Instrumental in Transforming Healthcare Organizations’ Cloud Security Posture Read More
Strengthening Medical Device Resiliency and Supply Chain Risk Preparedness in Clinical Settings Read More