The Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced that it intends to survey up to 1,200 covered entities and business associates to determine their suitability for a more fulsome HIPAA compliance audit. In a notice published in the Federal Register, OCR stated that the survey will collect information such as “number of patient visits or insured lives, use of electronic information, revenue, and business locations” to assess the organizations’ “size, complexity and fitness” for an audit.

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act requires OCR to “provide for periodic audits to ensure that covered entities and business associates” are complying with the HITECH Act and its implementing regulations. HHS conducted an audit of 115 covered entities in 2012. That audit found that compliance with the HIPAA Security Rule was lacking – notably, roughly 2 out of 3 of audited entities did not have a complete and accurate risk assessment. It also found that many entities were unaware of specific HIPAA Privacy Rule requirements, such as the obligation to provide a notice of privacy practices to individuals.

Although the total number of audits in 2014 is uncertain, expanding the audit program will provide a clearer picture of the extent of HIPAA compliance by business associates.

Read about our prior coverage of the HIPAA audit protocol.