OCR Audits of Covered Entities for HIPAA Compliance to Begin November 2011
The time has finally come. This month, the Office of Civil Rights ("OCR") is beginning to audit covered entities to ensure they are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. OCR plans to begin with a pilot program to conclude by December 2012. Any covered entity or business associate is eligible to be audited. It is expected, however, that the pilot program will focus on covered entities. The pilot program will include a diverse selection of representatives from the health care industry in order to maximize the information OCR will learn. OCR expects the audit process to evolve in response to the challenges OCR finds with the initial audits and the pilot program.
The present plan provides that parties will be asked to provide information and documentation of their privacy and security compliance efforts. Site visits with interviews of key personnel are also contemplated. Covered entities selected for audit will be notified in writing. Such notice will identify the audit contractor, the audit process and initial requests for information and documentation. OCR expects that responding information and documentation will be provided within 10 business days. With respect to the site visits, OCR plans to alert covered entities of an upcoming site visit between 30 and 90 days ahead of time. It is anticipated that on-site visits may take anywhere from 3 to 10 business days.
A draft of the audit report will be shared with the covered entity who will have 10 business days to provide written comments in response. The auditor then will provide a final report to OCR within 30 business days of the covered entity’s written response.
OCR represents that audits are to be used primarily as a compliance improvement activity. OCR is touting the audit program as an opportunity to identify best practices and improve Privacy and Security for all by helping OCR determine what type of assistance it can provide and what corrective action is most effective. OCR, of course, reserves its right to pursue a compliance review if serious compliance issues are identified. OCR does not plan to disclose what entities are audited or the findings of such audits.