OCR Announces Audit Initiative

Privacy & Cybersecurity and Employee Benefits & Executive Compensation Update

Date: November 10, 2011


The Department of Health and Human Services Office for Civil Rights (OCR) recently announced an initiative to audit up to 150 covered entities for compliance with the privacy and security requirements under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, collectively (HIPAA).

Who Will Be Audited?

OCR intends to select a broad range of covered entities for audit, including health care providers and health plans of all sizes. Although business associates will not be targeted as part of this audit initiative, they are otherwise eligible for audit.

When Will Audits Begin?

Audits are expected to start in November 2011 and conclude by December 2012.

How Will the Audit Be Conducted?

The covered entity will receive an audit notification letter requesting documentation regarding its HIPAA compliance 30 to 90 days before the audit. The covered entity will be required to provide the requested information within 10 business days of receiving the letter. A third-party auditor will conduct the audit at the covered entity's facilities for three to 10 business days. Thereafter, the auditor will provide the covered entity with a draft audit report, and the covered entity may provide comments on the report within 10 business days. Within 30 days after the covered entity's response, the audit report will be finalized and provided to OCR.

What Happens After the Audit Report Is Provided to OCR?

OCR will use the audit reports to identify best practices, issue technical assistance and determine what types of corrective actions are most effective. OCR may also use the audit reports to initiate compliance reviews to address serious noncompliance issues.

How Should Covered Entities Prepare For Audits?

In light of the audit initiative described above, health care providers and group health plans should consider reviewing their current HIPAA compliance. Our lawyers regularly assist clients with this process, from providing an annual checkup to conducting a complete overhaul of HIPAA policies and procedures.


Please contact Kim Wilcoxon, any member of the Privacy & Cybersecurity team or any member of the Employee Benefits & Executive Compensation practice for more information.