Background on the HIPAA Audit Program
Pursuant to the requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), the U.S. Department of Health and Human Services (“HHS”) has initiated a new audit program to ensure that covered entities – health plans, health care providers, and health care clearinghouses – are complying with the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). As a result, HHS’ Office for Civil Rights (“OCR”) is piloting a program to perform up to 150 audits of covered entities to assess their compliance with the HIPAA privacy and security rules. The pilot audit program began in November 2011 and, according to HHS, will conclude by December 2012.
Purpose of the HIPAA Audit Program
According to HHS, the purpose of the new audit program is primarily to improve covered entities’ compliance activities, and the OCR will use the results of the audits to better understand covered entities’ compliance efforts with regard to the HIPAA privacy and security rules. While the pilot audit program does not appear to be punitive at this time, if the OCR uncovers a serious HIPAA compliance issue, the OCR may initiate a compliance review to address the problem.
How the HIPAA Audit Program Will Work
Covered entities that have been selected for a HIPAA audit will be informed by the OCR via a notification letter 30 to 90 days prior to the initiation date of the audit. The process is fairly extensive. HHS will request documentation of the covered entity’s HIPAA privacy and security compliance efforts, including HIPAA privacy and security policies. The covered entity will have up to 10 days to respond to such a request. Every audit in the pilot phase of this program will include a 3 to 10-day site visit and will result in an audit report. During site visits, OCR auditors will interview key personnel and observe the covered entity’s processes to determine whether the entity is HIPAA compliant. At the conclusion of a site visit, auditors will issue an audit report which will include a description of any deficiencies in HIPAA compliance, as well as recommendations for the covered entity to resolve such deficiencies.
Recommendations for Covered Entities
Covered entities should begin reviewing their HIPAA policies and procedures, workforce training procedures, business associate arrangements, notices of privacy practices, and breach notification procedures to ensure that such items are accurate and up-to-date based on current law. For instance, covered entities should ensure that their HIPAA policies and procedures include the new breach notification rules that were implemented under the HITECH Act. In addition, covered entities should be prepared to respond to any inquiries from the OCR within the 10-day timeframe.
Additional information about the new HIPAA audit program can be accessed here.
For more information, or for assistance with your HIPAA compliance efforts, please contact your SGR Executive Compensation and Employee Benefits counsel.