OCR Audits of Covered Entities for HIPAA Compliance to Begin November 2011
Wednesday, November 16, 2011
Mary Re Knack, Williams Kastner
Print Mail Download i

The time has finally come. This month, the Office of Civil Rights ("OCR") is beginning to audit covered entities to ensure they are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. OCR plans to begin with a pilot program to conclude by December 2012. Any covered entity or business associate is eligible to be audited. It is expected, however, that the pilot program will focus on covered entities. The pilot program will include a diverse selection of representatives from the health care industry in order to maximize the information OCR will learn. OCR expects the audit process to evolve in response to the challenges OCR finds with the initial audits and the pilot program.

The present plan provides that parties will be asked to provide information and documentation of their privacy and security compliance efforts. Site visits with interviews of key personnel are also contemplated. Covered entities selected for audit will be notified in writing. Such notice will identify the audit contractor, the audit process and initial requests for information and documentation. OCR expects that responding information and documentation will be provided within 10 business days. With respect to the site visits, OCR plans to alert covered entities of an upcoming site visit between 30 and 90 days ahead of time. It is anticipated that on-site visits may take anywhere from 3 to 10 business days.

A draft of the audit report will be shared with the covered entity who will have 10 business days to provide written comments in response. The auditor then will provide a final report to OCR within 30 business days of the covered entity’s written response.

OCR represents that audits are to be used primarily as a compliance improvement activity. OCR is touting the audit program as an opportunity to identify best practices and improve Privacy and Security for all by helping OCR determine what type of assistance it can provide and what corrective action is most effective. OCR, of course, reserves its right to pursue a compliance review if serious compliance issues are identified. OCR does not plan to disclose what entities are audited or the findings of such audits.

© 2002-2024 by Williams Kastner ALL RIGHTS RESERVED

Current Legal Analysis

More from Williams Kastner

National Labor Relations Board Rocked by Decision of D.C. Circuit
by: Sheryl J. Willert
Tax Planning in 2013 for Individuals and Small Business Owners
by: Business Real Estate and Transactions Practice Group
Mandatory Arbitration Struck Down in Washington
by: Sheryl J. Willert
No Coverage For Text Message Claims Against Pizza Chain
by: Sheryl J. Willert
Insurers Compelled to Produce Internal Attorney Communications and Claims Policies
by: Darren A. Feider
Discovery Alone Does Not Trigger Duty to Defend
by: Darren A. Feider
"Blanket" AI Endorsement Leads to Big Exposure
by: Darren A. Feider
No Duty To Defend Apartment Conversion Claims
by: Darren A. Feider
Washington Supreme Court Rejects Insurer Challenge to Covenant Judgments
by: Darren A. Feider
Get Ready! Paid Sick/Safe Leave For Seattle Workers Coming on September 1!
by: Abby Wool Landon

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins