HHS to Begin HIPAA Privacy/Security Audits in November
The HITECH Act requires HHS to conduct periodic audits to ensure that covered entities and business associates are complying with HIPAA’s privacy and security rules and breach notification requirements. To implement this mandate, HHS’s Office for Civil Rights (OCR) has launched a three-stage pilot audit program, which is now detailed on HHS’s website. The first stage developed audit protocols, which HHS summarized in its first annual report to Congress on HITECH compliance (see our article). The second stage involves a limited number of audits—starting in November 2011—to test the protocols (and revise them as appropriate), and the third stage will initiate a full range of audits using the revised protocols. OCR expects to complete up to 150 audits total under this pilot program by December 2012. Here are highlights from the HHS website:
Who Will Be Audited? OCR intends to audit a wide range of covered entities, including health plans of all sizes. Although every covered entity and business associate is eligible for an audit, OCR is currently indicating that business associates will be included in future audits.
Timeline for Audits. Entities selected for audit will be notified in writing (a sample initial notification letter is available on the HHS website) and must provide initially requested information within a minimum of 10 days. An onsite visit is expected to start within 30 to 90 days after the audit notification. The entity will later have 10 days to provide written comments on the auditor’s draft final report. The final report submitted to OCR will describe any best practices of the entity and will include steps taken by the entity to resolve any compliance issues identified in the audit.
What Happens After an Audit? These audits are “primarily a compliance improvement activity” that OCR plans to use to determine what kinds of technical assistance to develop and what kinds of corrective action are most effective. But OCR may initiate a compliance review to address any serious compliance issues uncovered in an audit. OCR will not post a listing of audited entities or post individual audit findings that clearly identify the audited entity.
Available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html