HIPAA Privacy and Security Audits Begin in November 2011

The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, requires the United States Department of Health and Human Services (“HHS”) to perform periodic audits of covered entities and business associates to ensure compliance with the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Starting in November 2011, the HHS’s Office of Civil Rights (“OCR”) will begin a pilot audit program, which includes auditing up to 150 covered entities.   All covered entities may be subject to an audit, and OCR has stated that it intends to audit a wide range of covered entities, including healthcare providers and health plans of all sizes, during the pilot program. 

In accordance with OCR’s written audit procedures, entities selected for audit will be notified in writing and must provide initially requested information within a proscribed period of time, which may be as short as 10 days following the date of the request.  Each audit will include an onsite visit that is expected to start within 30 to 90 days after the audit notification.  Following the visit, OCR will provide the covered entity with the auditor’s draft final audit report.  The covered entity will then have 10 days to provide written comments on the report.  The auditor will then complete a final audit report within 30 days after the entity’s response and submit it to OCR.  The final report submitted to OCR will describe any best practices undertaken by the covered entity and will also include steps taken by the entity to resolve any compliance issues identified in the audit.  OCR has stated that it will not post a list of audited entities or any individual audit findings that clearly identify an audited entity.

According to OCR, the audits are primarily a compliance improvement activity to help OCR determine what technical assistance to provide and what corrective actions are most effective in addressing compliance issues.  If the audit reveals serious compliance issues, however, OCR could initiate a compliance review to address the problem, which could result in a costly settlement or civil penalties.  Covered entities and business associates, including healthcare providers, group health plans and their respective service providers, should ensure that their HIPAA policies and procedures are compliant, and that their workforces have received up-to-date training on HIPAA-related matters.

The audits are expected to be completed by December 2012.  OCR has indicated that business associates will not be audited during the pilot program, but will be included in future audits.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.