OCR’s HIPAA Pilot Audit Program begins November 2011

HHS Office for Civil Rights (“OCR”) announced last week that its pilot for HIPAA compliance audits will begin this month and end in December 2012. The American Recovery and Reinvestment Act of 2009 requires periodic audits of covered entities and business associates to ensure compliance with the HIPAA Privacy and Security Rules and Breach Notification standards.

In this first round of audits, OCR plans to audit a diverse group of up to 150 covered entities. Business associates will be audited in future audits. The OCR will notify those covered entities it selects to be audited and will request that the covered entities’ documentation regarding HIPAA Privacy and Security compliance be sent to the OCR for review within 10 business days of the request.

During the pilot program, every audit will include a site visit by the auditor and an audit report. Covered entities will be notified 30 to 90 days prior to the site visit. Site visits will usually last between 3 and 10 days and include interviews with key personnel and observations of processes and operations. After a site visit, the auditor will provide the covered entities with a draft final report that contains a description of how the audit was conducted, the findings, and the covered entity’s actions in regard to the findings. Covered entities will have 10 business days to submit a written response to the draft final report. The response may address any concerns and describe steps taken by the covered entity in response to concerns identified by the auditor in the draft final report.

The auditor will send its final report to the OCR within 30 business of receiving a written response. Final reports will include the steps taken by a covered entity in response to any compliance concerns and will describe the covered entity’s best practices related to HIPAA Privacy and Security compliance.

The OCR indicated in its announcement of the pilot audit program that it will mainly use the information collected by the audits to improve HIPAA Privacy and Security compliance. However, the OCR also stated that any serious compliance issue found during an audit may result in a compliance review.

For more information regarding the HIPAA Privacy and Security compliance audits or HIPAA in general or if you have been selected for an audit and need assistance in preparing for or responding to the audit, please contact a member of Benesch’s Health Care Department:

Additional Information

Benesch’s Health Care Practice Group

Cleveland
Gregory Binford at (216) 363-4617 or gbinford@beneschlaw.com  
Harry Brown at (216) 363-4606 or hbrown@beneschlaw.com  
W. Cliff Mull at (216) 363-4198 or cmull@beneschlaw.com  
Daniel J. O’Brien at (216) 363-4691 or dobrien@beneschlaw.com  
Alan Schabes at (216) 363-4589 or aschabes@beneschlaw.com  

Columbus
Frank Carsonie at (614) 223-9361 or fcarsonie@beneschlaw.com  
Janet Feldkamp at (614) 223-9328 or jfeldkamp@beneschlaw.com    
Martha Sweterlitsch at (614) 223-9367 or msweterlitsch@beneschlaw.com  

White Plains
Ari J. Markenson (914) 682-6822 or amarkenson@beneschlaw.com

The link to the OCR’s announcement is: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html