Are You Ready for Your HIPAA Audit?

by hipaademystified on September 26, 2016

Many people hate the “H” word, and yet health care professionals (including mental health professionals), are starting to be audited regarding their compliance efforts.  If you are someone who has used “head in the sand” as a coping technique, you may be rudely awakened by an audit.  Additionally, in the event that client confidential information is lost or stolen, your bubble of denial may be burst when you are required to report this to the Department of Health and Human Services (HHS).  The bubble indeed may shatter when you realize this information may also need to be reported to clients themselves, as well as the local media!  Imagine your name (or your practice name) appearing on the HHS Breach Notification Portal (commonly referred to as the “Wall of Shame”) for all to see.  As mental health professionals, we should perhaps look at our denial, and push past it to protect client privacy.  While we are all well versed in client confidentiality, HIPAA has explicit privacy regulations dealing with confidentiality issues, but also security regulations which deal with electronic confidential client information.  All confidential information, oral, paper, and electronic is termed “protected health information” (PHI) and must be protected in specific ways under HIPAA.  Any electronic information created, received, maintained, or transmitted by an organization is subject to the HIPAA security rule.  So let’s see how you are doing…

  • Have you updated your Notice of Privacy Practices (NPP)? In 2013 new requirements were added which need to be included in a revised NPP.  These revisions deal with the changes brought by the Final Omnibus Rule in 2013, such as rights to restrict disclosures, as well as a client’s right to be notified in the event of a breach of their PHI, and requires the NPP to be posted on an organization’s or practice’s website.  Have you integrated more strict state law into your NPP?
  • Have you conducted your required security risk assessment? A risk analysis must be conducted to evaluate risks and vulnerabilities to electronic protected health information, with a resulting remediation plan put in place. Have you addressed all 54 security regulations?
  • Do you know the procedure under HIPAA and HITECH (the Health Information Clinical & Economic Clinical Health Act) regulations should you have a breach of client protected health information? Do you know when you are required to notify the Department of Health and Human Services? Are you aware of any breach notification law specific to your state?
  • Are you aware of the government imposed fines and penalties for HIPAA violations? If you just ignore the regulations it is considered “willful neglect” which mandates fines and penalties of $10,000 to $50,000 per violation.  However, if you are attempting to comply with the regulations, it is not mandated you be fined; instead the Office for Civil Rights will likely work with you on steps to take to get compliant.
  • Have you named a chief privacy office and chief security officer?
  • Do you have written policies and procedures specific to your practice? Have staff (and volunteers) been trained on them? Both of these are requirements under HIPAA.

Consider the following scenarios that have been reported to the Department of Health and Human Services and adjudicated through the Office for Civil Rights (OCR):

Anchorage Community Mental Health Services (ACMHS) in Alaska was fined $150,000 for a data breach affecting 2,743 individuals.  The organization failed to patch their systems, and ran outdated, unsupported software, opening the door to malware that compromised their security of their IT. While they did adopt sample security policies and procedures, they did not follow them.  The OCR noted that they had failed to identify and address basic security risks to their IT system.  Besides the hefty fine, ACMHS had to put a corrective action plan into place, and report on the state of their compliance to OCR for two years[i].

ST Psychotherapy, LLC, of Oshkosh, Wisconsin, was required to inform 509 clients of a potential breach of their protected health information, when an unencrypted laptop was stolen from their office.  The laptop included records on outpatient mental health clients, as well as social security numbers, dates of birth, medical histories, mental status interviews, psychological testing, and statements of work capacity.[ii] 

A briefcase was stolen from an employee of Access Counseling, LLC, in Los Angeles.  The briefcase was stolen from the employee’s car and contained clinical notes related to all their clients, as well as names, partial social security numbers, dates of birth, and addresses.[iii]

Northwestern Counseling and Support Services in St. Albans, Vermont suffered a breach when a cash lockbox was stolen that contained itemized receipts, including client social security numbers.[iv]

Most of us can imagine any one of these scenarios happening.  As therapists, we are now both ethically and legally required to protect client PHI in all forms.  HIPAA compliance is each practitioner’s responsibility.  The Department of Health and Human Services maintains a breach notification portal with the names of practitioners or organizations where HIPAA violations affected 500 or more individuals. Take a look at how public your breach of confidential information (oral, paper, or electronic) becomes known to the world… .  The breach notification portal is often referred to as the “Wall of Shame.”

Get informed about HIPAA and act on before an audit finds you, or you end up violating client’s confidentiality and privacy, becoming a begrudging star on the Wall of Shame.


[ii] Identity Theft Research Center (2015).  Data breach reports.  Retrieved from

[iii] Ibid.

[iv] Privacy Rights Clearinghouse (n.d.).  Identity theft and data breaches.  Retrieved from