Since November 2011, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has been conducting audits of covered entities (the “HIPAA Audit Program”) for compliance with the privacy and security requirements under HIPAA and the HITECH Act (collectively, the “Privacy & Security Rules”). While the Internal Revenue Service and the Department of Labor have conducted audits with respect to HIPAA’s portability requirements in the past, the HIPAA Audit Program is a new enforcement effort for HHS/OCR, which until now relied mainly on complaint-based investigations and reviews. This advisory summarizes the HIPAA Audit Program as we currently understand it and provides some basic compliance reminders that may be helpful in preparing for such an audit.
The advisory is provided in PDF on the Alston & Bird website:
Written by Johann Lee, Counsel and Lee Hickman, Partner | Alston & Bird LLP