The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun the process of notifying covered entities that they are among the unlucky few who have been selected for the first Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security audits under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The selected entities represent a cross sample of the health care industry—from billion-dollar health care systems to small physician practices. Audited entities will undergo comprehensive reviews of their privacy and security policies and procedures, documentation, and operations.

While the first twenty covered entities have been selected, approximately another 130 remain in this audit round. HHS has indicated that it hopes to continue with proactive audits in the future and expects to become more aggressive in its enforcement of complaints. Accordingly, now is a good time to ensure that:

-- Policies, procedures, and documentation comprehensively address all privacy and security requirements;

-- Privacy and security training has been completed and documented;.....