Skip to main content
A Better Partnership


Nov 2011
November 28, 2011

OCR Launches HIPAA Audit Program

Although many have been critical of the way the Department of Health & Human Services has (or hasn’t) been enforcing HIPAA, its enforcement agency—the Office for Civil Rights (OCR)—has been ramping up its HIPAA enforcement activities recently in response to the HITECH amendments to HIPAA. As we’ve previously reported, the agency has increased the penalties for violating HIPAA and increasingly is resolving its enforcement actions with financial settlements.

Now, OCR announces that it is rolling out a pilot audit program, with audits beginning this month. OCR intends to conduct 150 audits by the end of 2012. Rather than focusing on just certain types or sizes of organizations, OCR is selecting a wide range of types and sizes of targets, including individual and organizational health care providers, health plans of all sizes and functions, and health care clearinghouses.

The audit will look at compliance with HIPAA privacy, security and breach notification rules. Although OCR has not released a set of audit questions, some specific issues that are high on OCR’s radar include:
  • incident detection and response
  • access log review
  • secure wireless networks
  • user access and passwords management
  • theft or loss of mobile devices
  • up-to-date software
  • information access management, including role-based access

OCR expects that an audit will typically last about 30 days. OCR’s contract auditor, KPMG, will typically be on site for 3 to 10 days of the audit, depending on the complexity of the systems involved. During the on-site visit, KPMG will interview key personnel and observe processes and operations. KPMG will then develop a report, with input from the audited organization, summarizing its findings and what actions the audited organization is taking in response to those findings. OCR plans to use the reports primarily to help it identify best practices and understand what types of technical assistance those subject to HIPAA need—but OCR may initiate enforcement proceedings if an audit report indicates a serious compliance issue.

OCR only plans a limited number of audits in connection with this pilot program, but expects to put in place a permanent audit program after 2012. And while OCR will not look at business associates in this round of audits, it plans to include them in future audits.

If you are wondering what you should do to be prepare for a potential audit, OCR Director Leon Rodriguez recently offered the following advice on how to improve HIPAA compliance:

  • check that risk assessments are up to date
  • make sure senior managers are supportive of risk mitigation strategies
  • review existing compliance programs as well as staff training
  • ensure vigilant implementation of privacy and security policies and procedures, as well as tough sanctions for violating them
  • conduct frequent internal compliance audits
  • develop a plan for prompt response to breach incidents.

If you have questions about HIPAA compliance, please contact a member of Warner’s HIPAA Task Force.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -