The American Recovery and Reinvestment Act of 2009, Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, the Office of Civil Rights (OCR) released information on November 8, 2011 to launch its pilot program where they are to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase will begin November 2011 and conclude by December 2012.
Once the covered entities have been selected, they will be notified as to their selection. Within 30 to 90 days, the on-site inspection of the covered entities will occur. Depending on the size of the entity, the government stated that the audits may take up to three days and will examine procedures and policies within the office. After reviewing the findings of the initial 20 audits, the audit process will be analyzed for procedural changes. Afterward, the audits will continue until the remaining 130 audits are completed by December 2012. Data from the entire 150 audits will be used to guide compliance audits in the future.
During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. According to an OCR press release, “ We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.” Every covered entity and business associate is eligible for an audit.
Following the on-site visit, auditors will develop and share with the provider a draft report, which will generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. The covered entity will have 10 business days to review it, and will be invited to provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. The final report submitted to OCR will incorporate the deficiencies found by the auditors, the steps the entity has taken to resolve any compliance issues and also describe any best practices discovered at the entity. Although the audit results will be “broadly shared”, OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.
