The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently announced it has begun its next phase of audits to assess the compliance of covered entities, such as employer-sponsored health plans, and their business associates with the Privacy, Security and Breach Notification Rules under the Health Insurance Portability and Accountability Act (“HIPAA”). During this phase of the audit program, OCR will review the HIPAA policies and procedures adopted by covered entities and business associates, primarily through desk audits but also via some on-site audits. OCR is currently sending letters by email to covered entities and business associates to verify their contact information and will subsequently send pre-audit questionnaires to gather information that OCR will use to identify potential audit candidates. In light of this new audit program, as well as several recent high dollar and burdensome settlement agreements that the U.S. Department of Health and Human Services (“HHS”) has entered into with noncompliant covered entities (including the settlement described in the item below), group health plan sponsors are advised to review their compliance with HIPAA privacy and security standards on a regular basis. The days of generally lax enforcement of the HIPAA privacy rules appear to be over.

OCR’s announcement of the audit program is available here.