« Physician new year resolution #10 - the most important one | Main | Develop written financial policies to improve practice collections »

February 06, 2012

New HIPAA audit program announced

Last month, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published details about its new HIPAA Privacy and Security Audit Program at its website. This new HIPAA Audit Program is being established pursuant to the American Recovery and Reinvestment Act of 2009 (in Section 13411 of the HITECH Act) which requires HHS to perform periodic audits of covered entities and business associates to ensure that they are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.

Initially, only covered entities (e.g., health plans, health care providers, etc.), will be selected for audit, but business associates will be included in future audits. OCR plans to audit 150 covered entities during this initial pilot phase, which will last from November 2011 until April 2012.

Entities who have been selected for an audit will receive a letter introducing the contractor that has been selected to perform the audit (currently KPMG), explaining the process and expectations in more detail, and describing the initial document and information requests. Entities are expected to provide the requested information within 10 business days of receiving the request.

OCR plans to notify a selected entity 30-90 days prior to the anticipated onsite visit, which is expected to last 3-10 business days, depending on the organization. Within 20-30 days of completion of the onsite visit, the auditor is expected to provide a draft final report to the entity; the entity will have 10 business days to review the draft and provide written comments to the auditor. Within 30 days of receiving the entity’s response, the auditor will complete a final audit report, which will be submitted to OCR.

Although OCR has stated that these audits will be conducted primarily to improve compliance with HIPAA and to help OCR determine what types of technical assistance should be developed and what types of corrective action are most effective, if an audit report indicates a serious compliance issue, OCR may initiate a separate compliance review to address any identified problems. OCR has indicated that it will not post a list of the entities that have been audited or the findings of any individual audit that clearly identifies the audited entity.

Given this new focus on audits, both covered entities and business associates would be well advised to review their HIPAA privacy and security compliance programs and ensure that they are up to speed.

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/sample-ocr_notification_ltr.pdf

Posted by Reed Tinsley, CPA at 08:06:13 AM in HIPAA

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451b7e869e20168e6ce6759970c

Listed below are links to weblogs that reference New HIPAA audit program announced:

Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.