Update on OCR HIPAA audits

Information continues to trickle out regarding the status of the Office for Civil Rights’ (OCR) mandated audits of Health Insurance Portability and Accountability Act (HIPAA) covered entities. OCR’s Deputy Director for Health Information Privacy Susan McAndrew recently confirmed that the first 20 audits have been completed, although the organizations audited have not yet received their final audit reports. An additional 95 covered entities have been selected for audit, for a total of 115 audits, down from the 150 initially announced when KPMG was awarded the contract to conduct the audits on OCR’s behalf. Of the additional 95 selected for audit, 25 have been notified and are providing documentation to the auditors.

Earlier information provided by OCR described an audit timeline of at least 60 days as follows:

Notification letter sent to covered entities: one day
Receiving and reviewing documentation and planning the audit field
work: minimum of 10 days
On-site field work: three to 10 days
Draft audit report: 20–30 days
Covered entities review and comment on draft audit report: 10 days
Final audit report: 30 days

OCR also announced that an audit protocol will be made available on its website “in the near future,” and that no business associates will be audited in the 2012 round of audits. Perhaps the decision to give business associates a pass in this round is due to the fact that Health Information Technology for Economic and Clinical Health Act rules addressing large parts of a business associate’s obligations have not yet been finalized. Notably, President Obama’s proposed fiscal 2013 budget includes a 5 percent cut for OCR spending, and OCR has not yet announced whether its audits will continue into 2013.

What should covered entities do to prepare for the possibility of audit? Watch for the release of OCR’s audit protocol and conduct a self-audit according to its parameters promptly upon its release. If audited, prepare to respond to or rebut initial findings of the auditors before the report is finalized (see timeline outlined above). Finally, watch for the release of the first batch of final audit reports; although final audit reports will not identify the audited entities, they should provide valuable insights as to focus areas and priorities for OCR.

Register now for your free, tailored, daily legal newsfeed service.

Update on OCR HIPAA audits

Filed under

Topics

Laws

Organisations

Popular articles from this firm

The eyelash wars – U.S. district court in California grants partial summary judgment to Allergan, finding that Athena Cosmetic’s revitalash eyelash growth products are unapproved new drugs in violation of California law *

Do the new medical device registration requirements really apply to me? *

DNR orders in Georgia long-term care facilities *

Notice versus strict procedures – section 613 *

An overview of Limited Partner Advisory Committees and private equity fund advisory boards *

Related practical resources PRO

Related research hubs