HIPAA/HITECH Audits: OCR Program to Audit 150 Covered Entities

Today the Office for Civil Right (OCR) announced details of a pilot program to perform up to 150 audits of covered entities to assess privacy and security compliance under HIPAA. OCR will be conducting the audits between November 2011 and December 2012.

The days of waiting for HIPAA privacy and security enforcement activities are over. The announcement of these planned audits will get the attention of health care providers who have failed to focus on HIPAA privacy and security compliance efforts. The announcement will remind all health care providers to maintain an active, current HIPAA privacy and security compliance program.

OCR provides more detail on the audit program on the OCR HIPAA Audit Program page, including this description of the program objectives:

The audit program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.

The OCR HIPAA Audit Program page also provides detail on when the audits will begin, who will be audited, how the audit process will work, and what will happen after the audit. The information indicates that they will select a broad range of covered entities for the first round of audits and that business associates will be included in future audits.

OCR provides the graphic below to help describe how the audits will be performed. Covered entities will be selected, notified, and asked to provide documentation of privacy and security compliance efforts within 10 business days. An onsite visit will occur and interviews will be performed. A draft report will be provided to the covered entity and there will be a procedure for the covered entity to discuss the areas of concern raised in the audit and describe any corrective action they may implement.



 The HIPAA audits are a requirement under the American Recovery and Reinvestment Act of 2009 (Section 13411). HHS awarded to KPMG a $9 million dollar contract earlier this year to assist OCR with the audits.