Enter to open, tab to navigate, enter to select
HHS Launches Audit Program to Assess HIPAA Compliance
Practical Law Legal Update 8-511-8689 (Approx. 4 pages)
HHS Launches Audit Program to Assess HIPAA Compliance
by PLC Employee Benefits & Executive Compensation
| Published on 11 Nov 2011 • USA (National/Federal) |
The US Department of Health and Human Services' (HHS) Office for Civil Rights is beginning audits this month of covered entities, including health plans, to ensure their compliance with the Health Insurance Portability and Accountability Act's (HIPAA) privacy and security standards.
The audit program should serve as a reminder to health plans to pay close attention to HIPAA. HHS has informally indicated that in 2012 it plans to release omnibus guidance finalizing proposed HIPAA and related guidance.
The US Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) is conducting audits of covered entities, including health plans, in a pilot program that begins November 2011 and will continue through December 2012. HHS is required to perform periodic audits under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The audits are intended to assess compliance by covered entities and business associates with the privacy and security standards of the Health Insurance Portability and Accountability Act (HIPAA). According to HHS, the audits will help determine:
- What types of technical assistance should be developed.
- Which kinds of corrective action are most effective.
Although OCR intends to use the audit program to identify best practices and examine compliance efforts, OCR reserves the right to follow up with a compliance review if an audit report indicates a covered entity has a serious compliance issue. OCR will perform up to 150 audits of covered entities within the next year.
All covered entities and business associates are eligible for an audit. However, OCR will focus on covered entities during this pilot period, and intends to audit a range of covered entities, including health plans of all sizes and functions.
Each audit may take more than 30 business days from the time the covered entity is selected for an audit until the final audit report is submitted to OCR. Covered entities that are selected for an audit will be notified by a letter containing requests for documents and information, which must be provided within 10 business days. Auditors will visit the covered entity's site, observe processes and operations, and interview key personnel. They will then draft an audit report and will give the covered entity an opportunity to review and comment on the report before submitting the final report to OCR.
Practical Implications
The audit program is a good reminder for health plans to pay close attention to their HIPAA compliance efforts. This is especially the case since HHS has informally indicated, in November 2011 comments at the ABA Health and Welfare Benefit Plans Conference in Washington, D.C., that it will provide omnibus guidance during 2012 to finalize proposed regulations addressing:
- HITECH changes to HIPAA.
- HITECH enforcement.
- Breach notification
- The Genetic Information Nondiscrimination Act (GINA) changes to HIPAA.
HHS further indicated, informally, that:
- The compliance date for this omnibus guidance will be 180 days following the guidance's effective date.
- A one-year transition period will apply for amending business associate agreements.
Look to PLC's Employee Benefits & Executive Compensation service to provide updates and analysis of this guidance when it becomes available.
For more information on HIPAA's privacy and security standards, see Practice Notes, HIPAA Privacy Rule, HIPAA Security Rule and Standard Document, HIPAA Business Associate Agreement.
For more on the audit process, see the OCR HIPAA Audit Program website.