Updated 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

A Look Into an HHS OCR Desk Audit

Since 2016, the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) has been conducting Phase 2 of the HIPAA Audit Program. Through the use of desk audits, HHS has randomly requested documentation and evidence from organizations required to be  HIPAA compliant. HHS OCR is conducting the desk audits to assess the overall compliance of both Covered Entities and Business Associates. OCR plans to share any results gathered through the audit process, and issue guidance targeted to identified compliance challenges.

The desk audits can be requested in two forms:

  1. Risk Analysis (or Risk Assessment) and Risk Management provisions of the Security Rule, or;
  2. Access and notice provisions of the Privacy Rule and the applicable content and timeliness provisions of the Breach Notification Rule.

This week, we’re taking a look at what one Covered Entity provided HHS that was selected for a desk audit. What did they lack that kept them from meeting HIPAA compliance? How would your HIPAA audit go? The answer might surprise you.

An OCR Desk Audit

In 2017, a healthcare organization with fewer than 20 employees, was informed by OCR of its selection for audit. The medical practice had 10 working days to reply. The audit focused on the Risk Analysis and Risk Management provisions of the Security Rule. This organization provided OCR with the following documentation that outlined their compliance efforts relating to Risk and Risk Management:

  • Policies and Procedures addressing the Privacy and Security Rules
  • Over 50 other HIPAA compliance policies
  • HIPAA Risk Assessment administered in 2016
  • Corrective action plan created in 2016
  • Security management process policy

It’s clear from the feedback this organization received, their evidence for compliance wasn’t enough. Although they provided OCR with over 50 policies, manuals, and assessment, the actual content in them was incomplete, inadequate, and/or lacking altogether. After reviewing the materials, OCR provided the organization results of their audit in the form of a report.

The feedback was provided in two forms:

  1. Auditor Ratings: a relative level of entity compliance efforts for each audited element on a scale of 1 through 5.
  2. Auditor Analysis and Findings: specific analysis and findings based on documentation provided.

Auditor Ratings

The feedback this organization received was far from ideal. The auditor assessed entity efforts to comply with the selected elements using the following guidelines. Their score of 3 (highlighted below) out of 5 suggests room for improvement, saying that they “made attempts to comply, but the implementation is inadequate, or some efforts indicate a misunderstanding of requirements.”

The next section of the audit report includes the auditor’s specific analysis and findings from the Risk Analysis and Risk Management documentation.

Auditor Analysis & Findings

Risk Analysis

OCR notes that they failed to address management’s involvement in the Risk Analysis process. They also indicate that the document failed to address the Risk Analysis scope.

Further, OCR stated that the healthcare organization could not prove that their Risk Management policies and procedures were in place and enforced for six years. Covered Entities must retain copies of their policies and procedures for six years.

The organization provided one Risk Assessment administered in 2016. OCR stated that the Risk Assessment:

  • Did not define the scope of the systems to include all the entity’s systems that create, transmit, or maintain ePHI.
  • Did not provide an analysis of currently implemented security measures.
  • Did not provide adequate evidence that it has conducted accurate and thorough assessments of the potential risks and vulnerabilities to PHI.
  • Did not demonstrate that the results were made available to those individuals with Risk Analysis responsibilities.

Risk Management

OCR was not impressed with this organization’s Risk Management process. They provided Policies and Procedures manual and a Security Management Process Policy. OCR explained that the Risk Management documentation:

  • Did not provide policies and procedures that demonstrate it has a Risk Management process sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Did not identify what is considered an acceptable level of risk based on management approval.
  • Does not specifically address the workforce members’ roles in the Risk Management process.
  • Did not provide evidence that its policies were in place and enforced six years ago.

The findings of this OCR Desk Audit suggest that they did not provide a complete Risk Analysis or a Risk Management plan, nor were they able to prove their HIPAA documentation has been held for at least six years. Now with the help from OCR, they will receive a Final Report with corrective actions to implement for their HIPAA compliance plan.

Could your Organization Pass a HIPAA Desk Audit?

This organization did provide the HIPAA-related documents that OCR requested, but the documentation did not prove that they had safeguards to adequately protect PHI. The end of OCR’s presented the following summary after reviewing this practice’s documentation:

“Failure to fully implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level could leave electronic protected health information susceptible to unauthorized use and/or disclosure.”

The Proof’s in the Pudding

What’s the takeaway from this organization’s HIPAA desk audit? You can’t have generic HIPAA Risk Assessment documents, or bare bones Policies and Procedures template, and expect to have a HIPAA compliant representation of how your business and HIPAA work together. Your Risk Assessment and Risk Management Plan should be well thought out and thorough, as should all of your HIPAA documentation.

And just because the OCR Desk Audits are coming to an end doesn’t mean this is over. In 2017 and 2018, OCR will be conducting on-site audits of Covered Entities and Business Associates. The on-site audits are going to be broader than the desk audits. They will review compliance activities related to a comprehensive set of requirements of the Privacy, Security, and Breach Notification Rules, including additional analysis.

HHS OCR Director Roger Servino says his top enforcement priority for the coming year is to find a “big, juicy, egregious” breach case to use as an example from which others can learn. With the proper authorities on the lookout for violations, any Covered Entity or Business Associate is up for grabs, Director Servino adding that “Just because you are small doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.”1

For more information on creating a HIPAA compliant Risk Assessment and Risk Management processes specifically, take a look at one of our recent blog articles, “The Ins and Outs of Risk Management”. Need assistance determining all of your HIPAA compliance needs? Total HIPAA offers HIPAA training and compliance materials customized to meet your industry-specific requirements. Call us today at 800.344.6381.

  1. https://www.govinfosecurity.com/top-hipaa-enforcer-names-his-top-enforcement-priority-a-10258

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)