HHS lights up HIPAA audit program

This month, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) will commence performing HIPAA audits for a new pilot that will use the audit program to assess HIPAA compliance efforts by a range of covered entities.

“Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing compliant investigations and compliance reviews,” stated OCR’s website dedicated to the program.

The agency will perform up to 150 audits of covered entities to assess privacy and security compliance. A test of an initial 20 audits through April 2011 will be conducted to inform future audit procedures.

If selected, a covered entity will receive an audit notice in writing which will explain the process and expectations in detail and describe initial document and information requests. OCR stated that it expects covered entities and business associates who are the subject of an audit to provide requested information within 10 business days.

OCR also expects to notify covered entities between 30 and 90 days prior to an onsite visit, an event which could take between three and 10 business days. A covered entity will have 10 business days to review and provide written comments back to the auditor once a draft final report is issued.

“The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR,” the agency stated.

All audits in the pilots will be completed by the end of December 2012.

For more detailed information on the program, click here.