OCR to Resume HIPAA Audits. Get Ready Now!


In a Feb. 24 notice in the Federal Register, the HHS's Office for Civil Rights (OCR) announced its intention to resume its HIPAA Audit Program.  By and large, the audit program has been inactive since December 2012, when OCR concluded its pilot audit program.  

In the notice, OCR proposes to survey up to 800 HIPAA covered entities (health plans, healthcare clearinghouses and healthcare providers), and 400 business associates.  OCR expects to use the survey to gather information including, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.  According to the notice, OCR will then use the information to verify if the entity is a suitable candidate for a HIPAA audit.  While all those surveyed are not expected to be audited, OCR is declining to say how many organizations are likely to be actually audited.  Accordingly, all covered entities and business associates should be prepared.  

One of the primary focuses of the resumed audits is expected to be whether covered entities have conducted timely and thorough security risk assessments as required under HIPAA. According to the OCR, about two thirds of covered entities audited in 2012 failed to conduct appropriate security risk assessments. Security risk assessments have been required under HIPAA since April 2005 and are a core requirement under the Medicare and Medicaid EHR Meaningful Use incentives.  

Whether you've done your risk analysis or not (and annually review it, too), HHS has recently developed a tool to help providers comply with this requirement.  The Security Risk Assessment toolbox is designed to help small to medium sized health care providers conduct and document a risk assessment.  It’s important to note that use of the new tool is not mandated by OCR or under HIPAA - there is no standard template for what a risk assessment should look like, since it's entirely dependent on the specific facts of the specific entity.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Brown Law Firm | Attorney Advertising

Written by:


Davis Brown Law Firm on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.