The Department of Health and Human Services’ Office for Civil Rights (OCR) expects to commence an audit program late in 2011 regarding compliance with the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA). The audits will focus on measuring compliance rather than on identifying violations, but if OCR finds major violations during an audit, it may lead to formal enforcement action. Group health plans should review their checklists to confirm they are in material compliance with HIPAA’s privacy and security rules.