November 22, 2011
This month through December 2012, the Office for Civil Rights (OCR) of the Department of Health and Human Service will audit up to 150 health plans, health care providers, and health care clearinghouses. These audits are part of a pilot program designed to ensure compliance with HIPAA privacy and security rules, and will help OCR develop procedures for carrying out future audits that it is required to perform under the American Recovery and Reinvestment Act of 2009.
Steps of the Audit. Under the pilot program audit process, OCR will:
- Request documentation demonstrating compliance with HIPAA privacy and security rules;
- Conduct site visits, during which auditors will observe operations and interview key employees;
- Prepare a draft report with the entity that outlines any violations that were found during the audit and describes what corrective actions the entity is taking in response; and
- Compile a final report that contains the findings of the draft report.
Consequences of the Audits. OCR will publish guidance focusing on compliance challenges that come to light during the pilot program audits. Although these initial audits appear to be tailored primarily toward measuring the current state of HIPAA compliance, OCR has expressed that it may initiate separate compliance reviews of entities whose audits reveal potential or major compliance violations and impose penalties for compliance failures.
Please click here for a PDF of this newsletter.