HIPAA-HoustonHouston Network Security Computers Logo HIPAA-Houston

HIPAA Audits

CMS performed recent reviews for HIPAA Covered Entities to verify compliance of "Security Standards for the Protection of Electronic Protected Health Information (ePHI)". After completing these reviews, they identified key compliance areas that practices struggle with:

  • Encryption
  • Workforce Clearance (ongoing background investigations on all people including vendors who have access to ePHI).
  • Security Training
  • Computer Security
  • Risk Assessment


Know the importance of responding to an OCR pre-audit questionnaire and how to respond!

  • Can you respond within the required 10 business days of receiving a questionnaire?
  • Do you have a designated privacy official and a list of Business Associates your company uses?
  • Have you done workforce training and do you have the proper documentation (federal and state) for proof?

These pre-audits are underway now! If you do not have a plan and documentation in place it will be too late once you get notification. The time is NOW to contact us to prepare you for these audits.



Regulations consider outside professionals and companies that need access to health information to accomplish their tasks to be "business associates." Does the company or person performing or assisting in the performance of an activity or function involve the use or disclosure of protected health information (ePHI)? Does the business associate provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services that require the disclosure of ePHI by the covered entity? If so, a business associate contract is required.

Any cloud provider should sign a BA Agreement, and any reputable cloud provider should be able to pass a SOC 2 audit.

Information Security



All businesses should have an information security program in place to protect information from unauthorized release and to ensure confidentiality is preserved. We perform information security audits for our clients. This not only includes electronic protected health information, but personally identifiable information, which is also federally and state regulated. Personally identifiable information refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. All businesses should develop sound policies that govern the identification and handling of sensitive information. The security program should be customized to meet the needs of that particular business environment and support the mission of the organization. There should be a mitigation process in place to handle identified threats. We can assist you in this process.