• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

HIPAA Audit Program Returning?

February 26, 2014 By Privacy, Cyber & Data Strategy Team

We previously blogged about the Office for Civil Rights’ (OCR) HIPAA Privacy, Security and Breach Audit Program (HIPAA Audit Program) on November 30, 2011, March 7, 2012, and June 26, 2012. On Monday, OCR published a notice  in the Federal Register in which it essentially announces the return of its HIPAA Audit Program. In the notice, OCR announces that it plans to submit a new information collection request (ICR) – a HIPAA Audit Program survey – to the Office of Management and Budget (OMB) for approval under the Paperwork Reduction Act of 1995, and seeks comments on the proposed survey and the burden imposed by it. The title of the survey is “HIPAA Covered Entity and Business Associate Pre-Audit Survey.” OCR proposes to survey up to 1200 HIPAA covered entities and business associates to determine suitability for the OCR HIPAA Audit Program. OCR plans to use the survey to assess the size, complexity, and fitness of the surveyed covered entities and/or business associates for a HIPAA audit. The survey will collect information about the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

Under HITECH Act § 13411, 42 USC § 17940, HHS is required to provide for periodic audits to ensure that HIPAA covered entities and their business associates are complying with the HIPAA Privacy, Security and Breach Notification Rules. In 2011-2012, OCR developed audit protocols for the Privacy, Security, and Breach Notification Rules, and conducted a pilot audit program. Since then, it has been evaluating the audit program and revising the audit protocols to reflect changes made to the Rules by the HIPAA/HITECH Act Omnibus Rule. This survey may signal the revitalization of the OCR HIPAA Audit Program, which has not been active since the conclusion of the pilot audit program in December 2012. Unlike the pilot audit program which only audited the compliance of covered entities, it is important to note that this forthcoming round of audits will include both covered entities and business associates. We also note that this next round of HIPAA compliance audits may be more focused and targeted on high priority issues – rather than the broad-based audits of the pilot program. As previously noted, OCR has recently indicated that, instead of broadly auditing covered entities and business associates with respect to compliance with the HIPAA Privacy, Security, and Breach Notification Rules, its future audits would likely focus on key areas of concern for OCR identified by new initiatives, enforcement concerns, and Departmental priorities.

Comments on the ICR are due by April 25, 2014, and should be submitted to Information.CollectionClearance@HHS.gov.

Filed Under: Health Privacy, Legislation, Workplace Privacy Tagged With: Health Information Security, HIPAA, HITECH

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.