HIPAA Privacy and Security Audit Program Begins This Month

November 18, 2011

HIPAA-covered entities, including employer health plan sponsors, should watch the mail for a letter from the Office for Civil Rights (OCR).

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the Department of Health and Human Services to conduct periodic audits of covered entities and business associates to ensure compliance with the HIPAA privacy and security rules and breach notification standards. Beginning this month and running through 2012, OCR's new pilot program will audit 150 covered entities.

OCR's independent third-party auditor will select a wide variety of covered entities for audit during the pilot program. Selected covered entities will have 10 days to provide documentation of their HIPAA privacy and security compliance after they receive notification.

During the pilot program, every audit will include a site visit during which auditors will interview key personnel and observe processes and operations to help determine compliance. Covered entities should expect between 30 and 90 days' notice prior to a site visit, which will last between 3 and 10 business days, depending upon the complexity of the covered entity and the access given to materials and staff.

Following the site visit, the auditor will provide the covered entity with a draft report, and the covered entity will have 10 business days to provide written comments back to the auditor. The auditor will then submit a final audit report to OCR.

OCR has presented the audit pilot program as a "compliance improvement activity" aimed at enabling OCR to better understand compliance efforts, additional types of technical assistance that would be useful, and the effectiveness of various corrective actions. However, covered entities should be mindful that if an audit reveals a serious compliance issue, OCR may initiate a compliance review to address the problem.

Covered entities should consider conducting a "self-audit" before OCR comes knocking to ensure the following:

  • Business associate agreements are up to date
  • Current HIPAA privacy and security documents, procedures, and notices are in place
  • Individuals who handle protected health information are trained, and their training is documented

Morgan Lewis can help covered entities prepare for a possible OCR audit and, if necessary, help manage the audit. If you have any questions, please contact one of the following Morgan Lewis attorneys:

Saghi "Sage" Fattahian

John A. Kober

New York
Craig A. Bitman
Gary S. Rothstein

Robert L. Abramowitz
I. Lee Falk
Amy Pocino Kelly
Robert J. Lichtenstein
Joseph E. Ronan, Jr.
Steven D. Spencer
Mims Maynard Zabriskie
David B. Zelikoff
Georgina L. O'Hara

Lisa H. Barton
John G. Ferreira
R. Randall Tracht

Washington, D.C.
Althea R. Day
David R. Fuller
Mary B. (Handy) Hevener
Gregory L. Needles

San Francisco
W. Reece Hirsch

Palo Alto
S. James DiBernardo
Zaitun Poonja