Department Of Health And Human Services Launches HIPAA Privacy & Security Audits

The Department of Health and Human Services (“DHHS”) announced a new audit program under the Health Insurance Portability and Accountability Act (“HIPAA”) in order to assess HIPAA compliance. Specifically, the audit will focus on ensuring compliance with the HIPAA Privacy and Security standards promulgated under the Patient Protection and Affordable Care Act (“PPACA”) signed into law in March 2010. The Officer of Civil Rights (“OCR”) is the division within DHHS that is tasked with enforcing the new HIPAA Privacy and Security standards. As such, the OCR will be responsible for coordinating and running this new audit program.

DHHS has contracted with international auditing firm KPMG to conduct the audits. Under the audit program, the OCR expects to conduct up to 150 audits during a Pilot Phase which is scheduled to run from November 2011 through December 2012. The DHHS plans to audit only covered entities during the Pilot Phase, including covered individual and organizational providers of health services, health plans of all sizes, and health care clearinghouses. Moreover, an on-site visit will be part of every audit conducted during the Pilot Phase.

When a covered entity is selected for an audit, the OCR will notify the covered entity in writing. The OCR expects to notify selected covered entities between thirty (30) and ninety (90) days prior to the anticipated onsite visit. The OCR notification letter will introduce the audit contractor, explain the audit process and expectations in more detail, and describe initial document and information requests. The notification letter will also specify how and when to return the requested information to the auditor.

In light of the new HIPAA audit program launched by DHHS, ADVOCATE advises all clients to pay close attention to any and all communications received from DHHS and the OCR, as the communication may be a notification letter of an audit being conducted under this new program.

A sample OCR Notification Letter can be viewed here.

If you have any questions regarding compliance with Transmittal 386, or any other compliance-related issue(s), please feel free to contact me at:

Very kind regards,
Andre Perrotta, Esq.
ADVOCATE Chief Compliance Officer