As HIPAA Audit Pilot Program Ends, Providers Should Brace for More of the Same in 2013

January 15, 2013

1370555_lots_of_files_2.jpgThe Health Information Technology for Economic and Clinical Health (HITECH) Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA privacy and security rules and the HITECH Act's breach notification standards. To implement this mandate, the HHS Office for Civil Rights (OCR) piloted a program to conduct 115 audits of covered entities to assess privacy and security compliance. Audits conducted under OCR's pilot program began in November 2011 and ended in December 2012.

As part of the audit pilot program, OCR established an audit protocol that contains the requirements assessed during OCR's performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. (The protocol is available for public review at: For example, with respect to the HITECH Act's breach notification standards, auditors checked, among other things, whether:

  • a process exists for notifying individuals within the required time period of a breach of unsecured protected health information (PHI);
  • if any breaches occurred, that individuals were notified within 60 days;
  • if there is a standard template or form letter for breach notification; and
  • if any breaches occurred, the notification to the individuals included the required elements set forth at 45 C.F.R. ยง 164.404(c).

In other words, the protocol provides a useful checklist for providers to ensure that they are complying with the HIPAA privacy and security rules and the HITECH Act's breach notification standards.

OCR has previously stated that the results of the initial audits will inform how audits will be conducted moving forward from the pilot program. It remains unclear how the initial audits will affect the existing audit protocol and whether OCR will revise the protocol. Until OCR provides notice that it is revising the existing protocol standards, providers would be well-served by continuing to compare their existing policies and procedures against the protocol's standards.