In an effort to comply with Section 13411 of the HITECH Act, the Office for Civil Rights (“OCR”) recently announced the implementation of a pilot program to audit covered entities and business associates to ensure they are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. OCR anticipates performing up to 150 audits during the pilot phase, which began in November 2011 and should conclude by December 2012. OCR will use the audits and associated site visits to assess HIPAA compliance efforts, examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s complaint investigations and compliance reviews.
Every covered entity is eligible for an audit, and OCR anticipates including business associates in future audits. When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The notification letter will provide an introduction to the auditor contractor—KPMG won OCR’s $9.2 million contract for the HITECH-required HIPAA audits—explain the audit process, and describe the initial document and information requests. OCR expects entities selected for audit to provide the requested information within ten business days of the request for information.
During the pilot phase, every audit will be accompanied by a site visit in which auditors will interview key personnel and observe processes and operations to help determine compliance. Covered entities should be notified of a site visit between 30 and 90 days prior to the anticipated visit, which itself may take between three to ten business days. Auditors will then develop a draft report describing the findings and what actions the covered entity is taking in response to those findings. Before finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified.
OCR maintains that the audits are primarily a compliance improvement activity. However, should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Unlike breaches, OCR will not post a listing of audited entities or otherwise identify the audited entity when sharing findings. Covered entities should begin preparing for these new audits by reviewing and updating their policies, procedures, and training. Entities should ensure compliance protocols are being followed and that they are positioned to identify audit notification letters and respond in the short time frames for producing requested information.