Chat with us, powered by LiveChat

HIPAA One-oh-one Webinar

P.A.T. Certified Auditor

Date and Time

July 12, 2016 at 11am MT (1pm ET)


Click to register here, which will send us your RSVP via email.  After validation, we will send you the calendar invite.


Part of your organization’s focus should be protecting the privacy and security of PHI and reducing the probability of a breach. Passing an OCR audit should be the natural result of an effective compliance culture.

To be prepared for HIPAA compliance, and in turn, to be ready for an audit:

  • Document your security, privacy and breach policies and schedule a review to update those policies at least every 3 years.
  • Regularly perform a security risk analysis to find any vulnerable areas and create an action plan to fix these possible vulnerable areas.  Reviews are recommended annually for CMS reimbursements and at least every 3 years for BAs.
  • Update your risk analysis and risk management plans if they haven’t been updated in 2+ years.
  • Keep an organized file of the business associates affiliated with your organization. Update your agreements with them when changes are made.
  • Train your staff so they understand the importance of maintaining a culture of HIPAA compliance and they know the required steps to take to protect the ePHI your organization handles.

Why is the OCR cracking down on their audits?

According to David Holtzman, a former senior advisor at OCR, “the healthcare industry is a generation behind banking in safeguarding information.” In 2013, the healthcare industry saw a 138% increase in the exposure of sensitive records, as well as a 20% increase with medical identification theft. No one looks forward to an audit. Audits are time-consuming and can be unpleasant.  But no one wants to experience a security breach either, and the effects of a breach are much worse to endure than an audit. If you’re already HIPAA compliant, then you’re already prepared to survive an OCR audit.

Why should you attend

Phase 1 of the HIPAA Audit Program officially ended and Phase 2 of the HIPAA Audit program was announced on March 21, 2016 by Health and Human Services. In April 2016, they announced the updated HIPAA Audit Protocol.

To clarify, the HIPAA law itself has not changed since the Omnibus update in 2013, but the government’s auditing of compliance has been updated and expanded. This time around, OCR’s random audit of 350 covered entities and 50 business associates will assess the selected organizations’ compliance with HIPAA privacy, security and breach notification rules. If you’re a covered entity, OCR’s focus will be on:

  • Risk analysis and risk management (Security Rule)
  • Material and timeliness of breach notifications (Breach Notification Rule)
  • Notification of privacy practices updates to changes in the HIPAA Omnibus Rule and access to rights (Privacy Rule).

If you’re a business associate, your focus is on security risk analysis, risk management and breach reporting to your covered entities. A desk audit involves submitting certain content and documentation demonstrating the scope and timeliness of your efforts to comply with HIPAA and its rules. Auditors may or may not ask you for clarifications or for more information. If you don’t respond within the deadline, it won’t show clients any confidence.  In addition, may result in failing to renew a Purchase Order, severance of existing agreements, or if responding to the OCR, failing an audit with enforcement fines and penalties.


Steven Marco


Steven Marco, as President of HIPAA One, has helped over 2,400 sites become compliant with the HIPAA Security Rule with a 100% success-rate responding to Audits using the HIPAA One Software program. With over 20 years of experience as a Certified Auditor, Steve holds a Bachelor’s Degree from Ryerson University in Computer Information Systems Management and Corporate Law.


Click to register here, which will send us your RSVP via email.  After validation, we will send you the calendar invite.