HHS Publishes Roadmap for HIPAA Audits .


One of the less well-known provisions of the Health Information Technology for Economic and Clinical Health (or "HITECH") Act[1] is the requirement that the U.S. Department of Health and Human Services ("HHS") periodically conduct audits to ensure that Covered Entities[2] and their Business Associates[3] are complying with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").[4] In November 2011, the HHS Office for Civil Rights ("OCR") launched the pilot phase of its HIPAA compliance audit program ("Audit Program"), selecting 115 entities nationwide to undergo privacy and security audits. While the pilot phase is not scheduled to wind up until December 2012, OCR recently made the protocol[5] guiding these compliance audits publicly available. By identifying individual areas of evaluation, defining the applicable performance criteria, and specifying how auditors will assess compliance with each, the protocol provides a comprehensive and extremely useful roadmap for entities anticipating an OCR audit and all other entities seeking to ensure HIPAA compliance. All Covered Entities and Business Associates should take note, as OCR recently announced that the Audit Program will likely continue through 2014.

Background of the Audit Program -

The Audit Program analyzes processes, controls, and policies of entities covered by HIPAA in order to assess compliance efforts, identify best practices, and discover key areas of risk and vulnerability. Although OCR reserves the right to launch a formal investigation if an audit reveals a serious compliance problem, OCR has also stated that such investigations are not the goal of the Audit Program. By the end of 2012, OCR expects to complete its audit of the 115 entities involved in the pilot phase, all of which have already been notified and are defined by HIPAA as "Covered Entities." As indicated above, OCR has announced that the Audit Program will likely continue following the pilot phase, at which point it will probably be expanded to include Business Associates of Covered Entities.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Epstein Becker & Green | Attorney Advertising

Written by:


Epstein Becker & Green on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.