HIPAA Privacy and Security Audit Program Begins This Month
Sunday, November 20, 2011
Print Mail Download i

HIPAA-covered entities, including employer health plan sponsors, should watch the mail for a letter from the Office for Civil Rights (OCR).

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the Department of Health and Human Services to conduct periodic audits of covered entities and business associates to ensure compliance with the HIPAA privacy and security rules and breach notification standards. Beginning this month and running through 2012, OCR's new pilot program will audit 150 covered entities.

OCR's independent third-party auditor will select a wide variety of covered entities for audit during the pilot program. Selected covered entities will have 10 days to provide documentation of their HIPAA privacy and security compliance after they receive notification.

During the pilot program, every audit will include a site visit during which auditors will interview key personnel and observe processes and operations to help determine compliance. Covered entities should expect between 30 and 90 days' notice prior to a site visit, which will last between 3 and 10 business days, depending upon the complexity of the covered entity and the access given to materials and staff.

Following the site visit, the auditor will provide the covered entity with a draft report, and the covered entity will have 10 business days to provide written comments back to the auditor. The auditor will then submit a final audit report to OCR.

OCR has presented the audit pilot program as a "compliance improvement activity" aimed at enabling OCR to better understand compliance efforts, additional types of technical assistance that would be useful, and the effectiveness of various corrective actions. However, covered entities should be mindful that if an audit reveals a serious compliance issue, OCR may initiate a compliance review to address the problem.

Covered entities should consider conducting a "self-audit" before OCR comes knocking to ensure the following:

  • Business associate agreements are up to date
  • Current HIPAA privacy and security documents, procedures, and notices are in place
  • Individuals who handle protected health information are trained, and their training is documented
Copyright © 2024 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Current Legal Analysis

More from Morgan, Lewis & Bockius LLP

Arizona to Fintech Companies: Come Play in Our Sandbox!
by: Melissa R. H. Hall , Charles M. Horn
New Russia Sanctions: Key Takeaways
by: Brian L. Zimbler , Carl A. Valenstein
DOJ’s First Enforcement Action for ‘No-Poaching’ Agreements Since the Landmark Antitrust Guidance for HR Professionals
by: Mark L. Krotoski
Government Requests for Data: CLOUD Act Attempts to Provide Guidance
by: Dr. Axel Spies , Jessica M. Pelliciotta
Contract Corner: Is It Time for Form NDA Spring Cleaning?
by: Michael L. Pillion , Jessica M. Pelliciotta
Renewable Energy Deals Targeted for More Scrutiny in New Trade Report
by: Stephen Paul Mahinka
No Such Thing as Simple Food Labeling: Changes Ahead in 2018
by: Ryan Fournier
Gender Equality: The French Government’s Roadmap
by: Sabine Smith-Vidal , Laetitia de Pelet
Power to the States: Which Came First, the Chicken (CFPB) or the Eggs (AGs)?
by: Nicholas M. Gess , Charles M. Horn
DC Circuit’s ACA v. FCC Decision: Implications for Calling and Texting
by: Gregory T. Parks , Ezra D. Church

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins