New HIPAA Audit Program Is Underway

Legal Alert

Background on the HIPAA Audit Program

Pursuant to the requirements of the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), the U.S. Department of Health and Human Services ("HHS") has initiated a new audit program to ensure that covered entities - health plans, health care providers, and health care clearinghouses - are complying with the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"). As a result, HHS' Office for Civil Rights ("OCR") is piloting a program to perform up to 150 audits of covered entities to assess their compliance with the HIPAA privacy and security rules. The pilot audit program began in November 2011 and, according to HHS, will conclude by December 2012.

Purpose of the HIPAA Audit Program

According to HHS, the purpose of the new audit program is primarily to improve covered entities' compliance activities, and the OCR will use the results of the audits to better understand covered entities' compliance efforts with regard to the HIPAA privacy and security rules. While the pilot audit program does not appear to be punitive at this time, if the OCR uncovers a serious HIPAA compliance issue, the OCR may initiate a compliance review to address the problem.

How the HIPAA Audit Program Will Work

Covered entities that have been selected for a HIPAA audit will be informed by the OCR via a notification letter 30 to 90 days prior to the initiation date of the audit. The process is fairly extensive. HHS will request documentation of the covered entity's HIPAA privacy and security compliance efforts, including HIPAA privacy and security policies. The covered entity will have up to 10 days to respond to such a request. Every audit in the pilot phase of this program will include a 3 to 10-day site visit and will result in an audit report. During site visits, OCR auditors will interview key personnel and observe the covered entity's processes to determine whether the entity is HIPAA compliant. At the conclusion of a site visit, auditors will issue an audit report which will include a description of any deficiencies in HIPAA compliance, as well as recommendations for the covered entity to resolve such deficiencies.

Recommendations for Covered Entities

Covered entities should begin reviewing their HIPAA policies and procedures, workforce training procedures, business associate arrangements, notices of privacy practices, and breach notification procedures to ensure that such items are accurate and up-to-date based on current law. For instance, covered entities should ensure that their HIPAA policies and procedures include the new breach notification rules that were implemented under the HITECH Act. In addition, covered entities should be prepared to respond to any inquiries from the OCR within the 10-day timeframe.

Additional information about the new HIPAA audit program can be accessed here.

For more information, or for assistance with your HIPAA compliance efforts, please contact your SGR Executive Compensation and Employee Benefits counsel.

Media Contact

Public Relations Contact
Kate Lenders
Senior Marketing Manager
klenders@sgrlaw.com
312-360-6478

Jump to Page

Smith, Gambrell & Russell, LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek
balustrade37