One of the less well-known provisions of the Health Information Technology for Economic and Clinical Health (or "HITECH") Act[1] is the requirement that the U.S. Department of Health and Human Services ("HHS") periodically conduct audits to ensure that Covered Entities[2] and their Business Associates[3] are complying with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").[4] In November 2011, the HHS Office for Civil Rights ("OCR") launched the pilot phase of its HIPAA compliance audit program ("Audit Program"), selecting 115 entities nationwide to undergo privacy and security audits. While the pilot phase is not scheduled to wind up until December 2012, OCR recently made the protocol[5] guiding these compliance audits publicly available. By identifying individual areas of evaluation, defining the applicable performance criteria, and specifying how auditors will assess compliance with each, the protocol provides a comprehensive and extremely useful roadmap for entities anticipating an OCR audit and all other entities seeking to ensure HIPAA compliance. All Covered Entities and Business Associates should take note, as OCR recently announced that the Audit Program will likely continue through 2014.
Background of the Audit Program -
The Audit Program analyzes processes, controls, and policies of entities covered by HIPAA in order to assess compliance efforts, identify best practices, and discover key areas of risk and vulnerability. Although OCR reserves the right to launch a formal investigation if an audit reveals a serious compliance problem, OCR has also stated that such investigations are not the goal of the Audit Program. By the end of 2012, OCR expects to complete its audit of the 115 entities involved in the pilot phase, all of which have already been notified and are defined by HIPAA as "Covered Entities." As indicated above, OCR has announced that the Audit Program will likely continue following the pilot phase, at which point it will probably be expanded to include Business Associates of Covered Entities.
Please see full publication below for more information.