In November 2011, as required by the HITECH Act, the Office for Civil Rights (OCR) began auditing selected covered entities’ compliance with the privacy and security provisions of HIPAA and its implementing regulations. In the near future, business associates will be eligible for audit selection as well. This article describes the current enforcement climate and provides practical steps on preparing for and responding to a HIPAA compliance audit.

Is it Getting Hot in Here? HIPAA Heats Up

The commencement of these audits is one of a series of changes that are transforming the HIPAA compliance landscape. The last two years have seen the implementation of breach notification requirements, a 60-fold increase in OCR’s fining authority, increased enforcement activity with more serious repercussions for enforcement targets and, as noted, the start of OCR’s compliance audits. Omnibus regulations implementing the majority of the agency’s outstanding HITECH rules is anticipated shortly.