Getting Ready for the HIPAA Audit Program

The HHS Office for Civil Rights, which enforces the HIPAA privacy/security/breach notification rules, is expected soon to begin a permanent random audit program to assess industry compliance with the rules.


The HHS Office for Civil Rights, which enforces the HIPAA privacy/security/breach notification rules, is expected soon to begin a permanent random audit program to assess industry compliance with the rules.

During a session at the MGMA Conference, Oct. 26-29 in Las Vegas, David Holtzman, formerly a senior advisor in the OCR health information privacy unit, will explain lessons learned during a pilot audit program and what the permanent audit program likely will look like.

It is appearing that the program will conduct more on-site audits than originally envisioned, says Holtzman, who now is vice president of compliance services at Cynergistek, a security consultancy. Under this scenario, an auditor--either OCR staff or a contractor--would come to a facility to review documentation and observe processes. Exact procedures have not been shared yet nor has the protocol been published, he adds. During the pilot program, organizations had 14-day notice of a visit, and Holtzman believes that the notice time in the permanent program will be similar.

OCR also will conduct “desk audits” under which the agency requests organizations to submit documentation of policies, procedures and other evidence of HIPAA compliance. Asked what organizations most need to know now before the audits begin, Holtzman replies, “The best thing they should do today is prepare for the audit that is coming; to begin a review to make sure a risk assessment is completed. If not, do one now.”

Risk assessment tools for smaller practices are available here. Assessment tools for larger practices are available here. The session, “OCR Audits-Lessons for the Small Practice,” is scheduled on Oct. 27 at 10:15 a.m. in room N247.