The U.S. Department of Health and Human Services (HHS) has indicated that it is moving ahead with its HIPAA privacy and security audit program. Accordingly, health plans and other covered entities should prepare now and be on the lookout for communications from the HHS Office of Civil Rights (OCR) by email or regular mail. OCR plans to send approximately 1,200 “screening surveys” to identify the organizations it will audit. OCR anticipates selecting 350 covered entities for desk audits, and approximately that number of business associates for audit as well. A wide variety of entities will be selected for audit, based on type of organization, location, and affiliation with other covered entities. Following this initial round of desk audits, OCR intends to conduct comprehensive onsite audits of covered entities and business associates, to determine the effectiveness of an organization’s compliance efforts and internal controls.

Covered entities and business associates are advised to conduct “security risk assessments” to prepare for potential OCR audits, with a focus on ensuring that adequate policies are in place and that their workforces have been trained to ensure employees understand the privacy and security requirements of HIPAA.