Ensure your protocols hold up under scrutiny. Whether your practice experiences a HIPAA violation or is part of an HHS Office for Civil Rights (OCR) audit, it’s important to annually review your administrative safeguards pertaining to patients’ privacy. Context: For Allergy Associates’ of Hartford, PC (Allergy Associates) Corrective Action Plan, the practice is required “to develop, maintain, and revise, as necessary, its written policies and procedures to comply with the federal standards that govern the privacy of individually identifiable health information” that relate to sections 45 CFR part 160 and subparts A and E of part 164 of the HIPAA Privacy Rule, outlined the OCR in the Resolution Agreement. The small specialty practice did not follow through on its part to sanction the covered entity (CE), who exposed the individual’s protected health information (PHI) to the media, suggests the documents. This case emphasizes the importance of HIPAA planning for small practices, which can be audited just as easily as large hospital systems. According to OCR guidance, “every covered entity [CE] and business associate [BA] is eligible for an audit.” If you’re worried about your administrative policies heading into 2019, check your HIPAA plan against these questions to see if you are properly addressing all your privacy risks: Resource: For in-depth OCR guidance on the HIPAA Privacy Rule, visit www.hhs.gov/hipaa/for-professionals/privacy/index.html.