The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced last week that it has begun formal auditing of covered entities under HIPAA. The action is not unexpected; the American Recovery and Reinvestment Act of 2009 (“ARRA”) required OCR to conduct the audits. However, the announcement, along with ARRA’s increased penalties for not complying with HIPAA, may cause covered entities and business associates to refocus on HIPAA’s requirements.

Who Will be Audited? OCR announced that every type of covered entity may be audited, including health care providers and employer-sponsored group health plans. Business associates apparently are not being audited at this time. This is helpful for business associates, who still may be uncertain of their exact compliance responsibilities under HIPAA.

When Will Audits Begin? OCR will conduct an “initial wave” of 20 audits beginning in November 2011 and apparently ending in April 2012. OCR will use the results from those audits to design future audits. This initial pilot program is expected to conclude in December 2012 after 150 audits have been conducted.

How Will Audits Work? Entities selected for an audit will be asked to provide documentation relating to their HIPAA Privacy Rule and Security Rule compliance, such as HIPAA policies and procedures. OCR will then conduct a site visit and interview key personnel. This research will be the basis for a draft report generated by OCR. Covered entities will be allowed to review the draft report and discuss their corrective actions with OCR. This process is expected to take about 90 days.

Will the Audit Results be Made Public? OCR will not publicly post a list of audited entities, nor will OCR publicly provide the results of an audit. However, OCR did not address whether the result could be made public in some other manner, such as a lawsuit or a Freedom of Information Act request.

How Should Covered Entities Prepare for Possible Audits? For some covered entities, little preparation may be required for a possible audit. For example, if a covered entity has recently updated its policies and procedures and has a robust compliance and training program, no action may be required. However, for many other covered entities, this new risk of a possible audit will cause them to review all their HIPAA policies and procedures.