Last month, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published details about its new HIPAA Privacy and Security Audit Program at its website. This new HIPAA Audit Program is being established pursuant to the American Recovery and Reinvestment Act of 2009 (in Section 13411 of the HITECH Act) which requires HHS to perform periodic audits of covered entities and business associates to ensure that they are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.
Initially, only covered entities (e.g., health plans, health care providers, etc.), will be selected for audit, but business associates will be included in future audits. OCR plans to audit 150 covered entities during this initial pilot phase, which will last from November 2011 until April 2012.
Entities who have been selected for an audit will receive a letter introducing the contractor that has been selected to perform the audit (currently KPMG), explaining the process and expectations in more detail, and describing the initial document and information requests. Entities are expected to provide the requested information within 10 business days of receiving the request.
OCR plans to notify a selected entity 30-90 days prior to the anticipated onsite visit, which is expected to last 3-10 business days, depending on the organization. Within 20-30 days of completion of the onsite visit, the auditor is expected to provide a draft final report to the entity; the entity will have 10 business days to review the draft and provide written comments to the auditor. Within 30 days of receiving the entity’s response, the auditor will complete a final audit report, which will be submitted to OCR.
Although OCR has stated that these audits will be conducted primarily to improve compliance with HIPAA and to help OCR determine what types of technical assistance should be developed and what types of corrective action are most effective, if an audit report indicates a serious compliance issue, OCR may initiate a separate compliance review to address any identified problems. OCR has indicated that it will not post a list of the entities that have been audited or the findings of any individual audit that clearly identifies the audited entity.
Given this new focus on audits, both covered entities and business associates would be well advised to review their HIPAA privacy and security compliance programs and ensure that they are up to speed.