Wiggin
๏ƒ‰
Find a Person
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z View All

Publications

Home 9 Publication 9 OCR Begins HIPAA Audits

OCR Begins HIPAA Audits

December 8, 2011

Michelle Wilcox DeBarge, Jody Erdfarb

Last month, the United States Department of Health and Human Services' Office for Civil Rights (OCR) announced that its contractor, KPMG, will be conducting 150 HIPAA compliance audits from November 2011 to December 2012. OCR is required to conduct HIPAA audits pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), which was passed by Congress as part of the much larger American Recovery and Reinvestment Act of 2009.

HITECH requires OCR to audit both covered entities and business associates to ensure full compliance with the HIPAA privacy and security rules as well as the breach notification rule. According to OCR, the 150 currently planned audits will be a pilot program including only covered entities. However, OCR plans to include business associates in future audits.

The Audit Process
OCR has posted an overview of the pilot audit program on its website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html. While the initial audits will be conducted in accordance with the process currently described on the website, revisions are expected over time as the audits progress.

According to the current process, the OCR auditors will send selected entities a letter notifying them of the audit and requesting documentation of privacy and security compliance. Entities will be expected to provide all of the requested information with 10 days.

Every audit will also include a site visit, during which the auditors will interview key personnel and observe processes and operations. According to OCR, the auditors will give covered entities between 30 and 90 days notice of an anticipated site visit. The visits may take anywhere between 3 to 10 business days, depending on the size and complexity of the organization.

OCR auditors will then draft an audit report, which will be shared with the entity. The covered entity will have 10 business days to review the report, discuss any concerns with the auditors, and describe corrective actions implemented to address any identified problems. Within 30 days of receiving the entity's comments, OCR will then issue a final report, detailing all of the efforts taken to resolve any identified compliance issues. Interestingly, the audit report will also include a description of the covered entity's best practices.

Consequences of Noncompliance
On its website, OCR emphasizes that the primary purpose of the audits is to, assess HIPAA compliance efforts by a range of covered entities . . . [and] examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR's ongoing complaint investigations and compliance reviews. However, OCR also notes that if a serious compliance issue is identified, a compliance review may be conducted to address the problem. Although not stated explicitly, if a covered entity fails to cooperate fully during the audit and/or if the auditors identify instances of noncompliance, the covered entity could face sanctions. Notably, the sample audit notification letter that OCR made available on its website states: We expect . . . your full cooperation and support and remind you of your cooperation obligations under the HIPAA Enforcement Rule.

Prepare Now
OCR has not publicly identified which covered entities it will audit, but has stated that, selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry and that, OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. Accordingly, all covered entities and business associates should prepare for the possibility of being selected for a compliance review as part of the pilot program.

Since audited entities must provide documentation of HIPAA privacy and security compliance within only 10 days, covered entities must ensure, prior to the time they are audited, that these materials are readily available and are up-to-date, accurate, and in full compliance with all applicable requirements. These include up-to-date policies and procedures and business associate agreements; documentation of HIPAA Security Rule compliance, including documentation of all risk assessments and implementation of appropriate safeguards that address all of the Security Rule standards; documentation of investigation and mitigation of all reported breaches; documentation of compliance with breach notification requirements; and documentation of employee training.

Also, since OCR will be conducting site visits, entities should ensure that all written policies and procedures are fully implemented as drafted. A HIPAA compliance program that is robust on paper, but that is not fully operational on the ground, will not suffice. All employees should understand the rules applicable to their job responsibilities, be able to identify the privacy and security officers, and know how to report suspected problems.

Additionally, covered entities and business associates should closely monitor the OCR website for audit-related announcements. In fact, OCR stated that it will, broadly share best practices gleaned though the audit process and guidance targeted to observed compliance challenges via, its website and other outreach portals.

In order to be fully prepared, covered entities should also assign a team to handle audit readiness. It will be essential to have a prepared team already in place by the time the audit begins. Entities should also consider conducting an internal audit of its HIPAA policies and procedures now to ensure that they are fully compliant.

~ ~ ~ ~ ~

In recent years, the federal government has made its intent to beef up HIPAA enforcement abundantly clear. In 2009, HITECH imposed new privacy and security requirements, expanded on those already in place, and most notably, required periodic HIPAA compliance audits and introduced enhanced penalties for noncompliance. To date, OCR has imposed penalties only in 8 cases; 5 of which were within the past two years. The start of OCR's new audit program is merely a continuation of this increased enforcement trend. Covered entities and business associates that have neglected to implement a robust HIPAA compliance program or that have been lax about HIPAA should improve their level of compliance without delay.

Resources

Client Advisory OCR Begins HIPAA Audits, DeBarge, Erdfarb, December 2011.pdf

Related People

Jody Erdfarb

Related Services

Cybersecurity and Privacy

Home Health Care and Hospice

HIPAA

Academic Medical Centers, Hospitals and Health Systems

Firm Highlights

News

Recognized for Excellence: Wiggin and Dana Named Law Firm of the Year, Attorney of the Year, and Earns 8 Additional Honors at the 2025 New England Legal Awards

Wiggin and Dana is proud to announce an extraordinary achievement at The American Lawyer’s 2025 New England Legal Awards, where the firm earned 10 top honors and was recognized as a finalist in additional categories. These awards celebrate excellence across the legal profession, and this yearโ€™s results underscore Wiggin and Danaโ€™s commitment to delivering exceptional […]
Read More
News

Wiggin and Dana Celebrates Top Honors in Benchmark Litigationโ€™s 2026 Rankings

Wiggin and Dana is proud to announce that Benchmark Litigation has once again recognized the firmโ€™s excellence in litigation, naming 13 attorneys as โ€œLitigation Starsโ€ and three attorneys as โ€œFuture Starsโ€ in its 2026 edition. The firm also earned Benchmarkโ€™s highest distinction, being ranked as a โ€œHighly Recommendedโ€ firm. Benchmark Litigation praised Wiggin and Dana […]
Read More
News

The National Law Journal Shortlists Wiggin and Dana for Litigation Departments of the Year โ€“ White Collar

Wiggin and Dana is proud to announce that its White Collar Defense, Investigations, and Corporate Compliance Practice Group has been selected by The National Law Journal as a finalist for Litigation Departments of the Year, White Collar. The firmโ€™s White Collar Defense, Investigations, and Corporate Compliance Practice Group includes former federal prosecutors from the U.S. […]
Read More
News

Benchmark Litigation Names Wiggin and Dana Partners to the 2025 โ€œ40 & Under Listโ€

Wiggin and Dana Litigation Partners, Laura Ann K. Froning, Robyn E. Gallagher, and David Norman-Schiff were named to Benchmark Litigationโ€™s 2025 โ€œ40 & Under Listโ€. The Benchmark Litigation team bestows this distinction upon the nationโ€™s most accomplished litigators aged 40 and younger who are considered the top emerging talent in litigation.ย The list is compiled based […]
Read More
News

Wiggin and Dana Expands Real Estate Practice with Addition of Vasiliki Yiannoulis-Riva

Wiggin and Dana LLP is pleased to announce that Vasiliki (Vasi) Yiannoulis-Riva has joined the firm as a Partner in the Real Estate, Environmental, Construction and Facilities Department, based in both the Stamford, CT and New York, NY offices. Vasi brings more than a decade of experience advising clients on commercial real estate transactions, leasing, […]
Read More
News

Chambers High Net Worth 2025 Honors Wiggin and Dana Lawyers and Private Client Services Practice

Wiggin and Dana is pleased to announce that the firmโ€™s Private Client Services practice and its partners, Michael T. Clear,ย Daniel L. Daniels, Jevera K. Hennessey, Leonard Leader, Vanessa L. Maczko, Steven B. Malech, and Carolyn A. Reers, have been ranked in the ninth edition of the annual Chambers High Net Worth (HNW) 2025 Guide. Additionally,ย Jonathan […]
Read More