New guidance released from HHS and OCR concerning 2017 HIPAA audits. Make sure that you are evaluating security risks and addressing them before audits.

In early December, OCR, Office of Civil Rights, a branch of HHS, announced that they will be conducting onsite hospital audits in 2017 among their regular desk audits. In guidance provided by OCR Senior Advisor, Linda Sanches, she states that the focus will be on finding “risks and vulnerabilities that the government (is not)… likely to learn about through a filed complaint.” This means an increased focus on what’s going on behind the scenes in our organizations to evaluate and address risks and vulnerabilities through effective risk management. As is always the case in these audits, the auditors would like to see that we, who are responsible for protecting the PHI of our patients and customers, identified and managed the risk rather than allow them to find it themselves.

HIPAA Compliance

Security Vulnerabilities

Of particular concern to OCR this year have been the security vulnerabilities generated through the use of 3rd party apps. 3rd party App developers continue to make our lives and jobs easier by providing solutions to everyday challenges and allowing us to work smarter not harder. But because they must integrate into our databases and systems to work, they also create an inherent risk of data breach from unknown threats — which is common.

Research suggests that even though 3rd party application and software usage is highly prevalent across industries, only 1 out of every 5 companies are performing verification. Many organizations were found to have significantly delayed applying patches for known vulnerabilities. In an industry like healthcare, this is putting patient information at risk. And in line with the purpose of the 2017 audits being to find things that are not likely to result in a filed complaint, if we are opening our data up to this kind of breach we are not doing our due diligence to protect patient information.

OCR Recommendations for Addressing this Vulnerability

OCR recommends that several best practices be put in place to address the vulnerability:

  • All software should be tested and verified before installation.
  • The IT departments within health organizations should evaluate the risks that they are introducing by using the app to determine if it should be used at all.
  • Companies should completely understand what they are agreeing to. This means that knowledgeable people within the organization thoroughly read the licensing agreement before they install a new 3rd party application.
  • Licensing agreements can also indicate how software is to be used and using it otherwise could open a company up to risk.
  • Policies and procedures should be in place to assure that patches are implemented promptly across the organization.
  • Security testing should bring to light vulnerabilities that the 3rd party software introduces that may be putting ePHI at risk.
  • The US Computer Emergency Readiness Team (US-CERT) regularly releases information about critical vulnerabilities so their site should be checked to make sure you stay up to date.


In their recent guidance, OCR representatives remind us that one size does not fit all when it comes to identifing, evaluating and addressing risks. We are responsible for reviewing our own universes and responding. Because of this, the “ball is in our court” when it comes protecting ePHI. And we need to demonstrate that we are up for the challenge.

In the city of New Jersey, please contact {company name} at, to learn more. Or call (888) 376-9648. We are happy to answer any questions and help you assure that your Healthcare IT systems are audit ready.

Author: Aaron White, Date: 22nd December 2016


eSOZO Computer and Network Services

4 Walter E Foran Blvd
Suite 301
Flemington, NJ 08822Phone: (888) 376-9648 Email:


Our Services
Real Time Analytics