On November 8, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services notified members of its HIPAA Privacy Rule listserv that it will begin conducting a pilot program of the audit requirement under Section 13411 of the HITECH Act. In the communication, OCR indicated that it will perform approximately 150 audits of covered entities in order to assess the protocols established for conducting the audits as well as to uncover any additional risks or vulnerabilities in the privacy and security rules themselves. The targeted covered entities will be notified of the request for their participation sometime this month, with OCR’s goal to conclude these pilot program audits by the end of next year.
Under Section 13411, any covered entity or business associate is eligible to be audited. For the pilot program, however, only covered entities will be targeted. OCR states that it will use a selection of a broad range of covered entities in order to ensure its auditing protocols are put to the test across a wide variety of scenarios. Specifically, OCR cites "covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses" as potential targets for the pilot. According to OCR’s audit protocols, the goal is to complete each audit within 180 days from the date the notification letter is sent.
Even though business associates are excluded from direct consideration for the pilot, it is possible that a target’s business associate could be indirectly implicated in a pilot audit, since the privacy and security rules under HIPAA/HITECH require specific, contractual relationships between covered entities and their business associates. How much a business associate should expect to participate in a covered entity’s audit remains to be seen, but it would not be unreasonable for OCR auditors to request copies of all of the covered entity’s business-associate agreements. Those agreements should include the business associate’s HIPAA compliance policies and procedures.
Though the pilot-program class is small, now may be a good time for HIPAA business associates to revisit their agreements and HIPAA/HITECH compliance policies to be prepared in the event that an important, covered-entity customer is selected for this pilot program.