Never Say Never Again: HHS Signals the Return of HIPAA Audit Program

Simone Colgan Dunlap, Sarah Erdmann, Kaitlyn Fydenkevez, Meghan O'Connor
Quarles & Brady LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Quarles & Brady LLP

On February 12, 2024, the U.S. Department of Health and Human Services (“HHS”) published a notice in the Federal Register regarding reinstatement of the Health Information Portability and Accountability Act of 1996 (“HIPAA”) Audit Program (“HIPAA Audit Program”), including assessing the impact of past audits and possibly preparing to utilize the previous audit process again.

HIPAA Audit Program – Background

Under the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act), passed in 2009, the HHS Office for Civil Rights (“OCR”, the specific office tasked with enforcing HIPAA) was required to undertake “periodic audits” of HIPAA covered entities and business associates, to determine those entities’ compliance with HIPAA. The program began in fits and starts, with a first round of audits in 2012 and a second round between 2016 and 2017.

During the 2016-2017 audit, OCR audited the policies and procedures adopted and employed by 166 covered entities and 41 business associates to determine their compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. The 2016-2017 audit cycle concluded in December 2020, when OCR issued a report with its audit findings. Among other things, OCR determined that many entities’ HIPAA-required Notice of Privacy Practices did not include required language and that covered entities were not consistently providing individuals’ access to their protected health information as required under the Privacy Rule. After issuance of its 2020 report, the HIPAA Audit Program went dormant.

Planning for the Future

After over 3 years of silence on the HIPAA Audit front, the Federal Register notice published on February 12, 2024, states that OCR will be reviewing the 2016-2017 audit cycle in order to assess:

  • The effect of the audit on covered entity and business associate compliance activities;
  • Feedback from the audited entities regarding the helpfulness of HHS’ audit communications, online audit submission portal, and the December 2020 final report;
  • The burden on audited entities posed by collecting documentation and compiling responses to the audit; and
  • The impact of the HIPAA Audit program on the audited entities’ day-to-day operations.

The notice states that while the information will be used to review the 2016-2017 audit cycle, it will also be used to improve the HIPAA Audit process moving forward. Based on this, it seems clear that OCR plans to reignite the HIPAA Audit program in the future. The notice also provides contact information for interested individuals to comment on the proposed actions by April 12, 2024.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Quarles & Brady LLP | Attorney Advertising

Written by:

Quarles & Brady LLP
Quarles & Brady LLP
Contact
more
less

Quarles & Brady LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide