January 19, 2012

New Pilot Audit Program: HIPAA Privacy and Security Compliance

The health care privacy rules, which were included originally in the HIPAA law and later amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, are intended to protect the confidentiality of individually protected health information.  Included in the HITECH rules are some specific procedures requiring that individuals be notified of any breach of their personal information. 

The HHS’ Office for Civil Rights (OCR) has recently launched a HIPAA Privacy & Security Audit Program.  The primary purpose of this effort is to determine what further or future guidance might be useful to covered entities (health care providers, health care clearinghouses, and health plans) and their business associates to ensure proper compliance with the privacy, security and breach rules.  The initial pilot audit phase began in November, 2011 and is anticipated to conclude by December 2012. 

If a covered entity or business associate is tagged by OCR for audit, then it must provide OCR with requested relevant documentation as to their privacy and security compliance efforts.  The next step is an on-site 3 to 10 day visit by an OCR representative in which to interview key personnel, and observe processes and operations of the covered entity or business associate.  The results of the audit will then be compiled into a final report and submitted to OCR for their review.   The subject of the audit will be able to review the report and take any corrective action necessary, prior to submission of the final report. 

Again, the primary purpose of the audit program is for the government to gather information about what additional guidance would be useful to ensure compliance with the law.


The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations.

As required by U.S. Treasury rules, we inform you that, unless expressly stated otherwise, any U.S. federal tax advice contained in this Benefit Beat is not intended or written to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed by the Internal Revenue Service.