HIPAA Audit Program Returning?

Written by

We previously blogged about the Office for Civil Rights’ (OCR) HIPAA Privacy, Security and Breach Audit Program (HIPAA Audit Program) on November 30, 2011, March 7, 2012, and June 26, 2012. On Monday, OCR published a notice  in the Federal Register in which it essentially announces the return of its HIPAA Audit Program. In the notice, OCR announces that it plans to submit a new information collection request (ICR) – a HIPAA Audit Program survey – to the Office of Management and Budget (OMB) for approval under the Paperwork Reduction Act of 1995, and seeks comments on the proposed survey and the burden imposed by it. The title of the survey is “HIPAA Covered Entity and Business Associate Pre-Audit Survey.” OCR proposes to survey up to 1200 HIPAA covered entities and business associates to determine suitability for the OCR HIPAA Audit Program. OCR plans to use the survey to assess the size, complexity, and fitness of the surveyed covered entities and/or business associates for a HIPAA audit. The survey will collect information about the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

Under HITECH Act § 13411, 42 USC § 17940, HHS is required to provide for periodic audits to ensure that HIPAA covered entities and their business associates are complying with the HIPAA Privacy, Security and Breach Notification Rules. In 2011-2012, OCR developed audit protocols for the Privacy, Security, and Breach Notification Rules, and conducted a pilot audit program. Since then, it has been evaluating the audit program and revising the audit protocols to reflect changes made to the Rules by the HIPAA/HITECH Act Omnibus Rule. This survey may signal the revitalization of the OCR HIPAA Audit Program, which has not been active since the conclusion of the pilot audit program in December 2012. Unlike the pilot audit program which only audited the compliance of covered entities, it is important to note that this forthcoming round of audits will include both covered entities and business associates. We also note that this next round of HIPAA compliance audits may be more focused and targeted on high priority issues – rather than the broad-based audits of the pilot program. As previously noted, OCR has recently indicated that, instead of broadly auditing covered entities and business associates with respect to compliance with the HIPAA Privacy, Security, and Breach Notification Rules, its future audits would likely focus on key areas of concern for OCR identified by new initiatives, enforcement concerns, and Departmental priorities.

Comments on the ICR are due by April 25, 2014, and should be submitted to Information.CollectionClearance@HHS.gov.