HIPAA Privacy and Security Audit Pilot Program Takes Flight

Proskauer on Privacy
Contact
LinkedIn
Facebook
X
Send
Embed

[author:  Robyn Sterling]

On November 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced details of its HIPAA Privacy and Security Audit Program pursuant to the American Recovery and Reinvestment Act of 2009, Section 13411 of the HITECH Act. The OCR pilot program calls for approximately 150 audits of covered entities, to commence in November 2011 and expected to conclude by December 2012. The audits are intended to address privacy and security compliance, and assist OCR in assessing and identifying best practices as well as risks and vulnerabilities for health care entities.

Pilot Program

OCR has stated that the initial 150 audits will be of covered entities that range in type and size and include: health services providers; health plans providers; and health care clearinghouses. OCR is expected to implement the pilot program in three phases. The first is the development of the audit protocols. Second, OCR will conduct initial audits of 20 covered entities, and that small sample should expect an OCR notification letter by the end of December 2011. An OCR draft notification letter is available here. OCR expects that the initial audits will be completed by April 2012, and that OCR will use the information gathered from these audits to review and adjust audit protocols. Lastly, OCR will conduct the remainder of the 130 audits with expected completion by December 2012.

Audit Process

OCR anticipates that each covered entity will receive a notification letter 30 to 90 days prior to the audit with contact information for the auditor, an explanation of the audit process and an initial request for documents. It is expected that the initial request for documents will include request for copies of the covered entity’s privacy policies and procedures, security policies and procedures, security risk assessment, and the covered entity’s data breach notification policies and procedures. Covered entities will have up to 10 days to respond. Once on site, OCR expects that the audits will take approximately 3 to 10 days, and within 30 days of the completion of the on site audit, OCR will issue an audit report. The report is expected to include a description of any deficiencies and recommendations for best practices for the covered entity. If OCR finds significant deficiencies it may initiate additional proceedings which may lead to civil monetary penalties.
Although this initial audit is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

Although this initial audit is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

Tags: , , , ,

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Proskauer on Privacy

Written by:

Proskauer on Privacy
Proskauer on Privacy
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Proskauer on Privacy on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide