Contributed by Lee Kim, Esq.


The HITECH Act mandates HIPAA audit and enforcement. In that vein, the US Department of Health and Human Services Office for Civil Rights (OCR) announced a pilot program to perform audits of covered entities to assess their HIPAA Privacy and Security compliance. The covered entities to be audited include a wide variety of facilities of varying sizes, including very large healthcare systems to small physician practices. These entities will have an extensive review of their HIPAA Privacy and Security Rule policies and procedures, operations, and documentation. OCR intends to audit healthcare providers, health plans, healthcare clearinghouses, and business associates as part of its pilot program.

If an entity is selected for an audit, it will go through the following 3-step process:

  1. OCR Audit Notification Letter

The letter from OCR will include the following:

  • Basis for the audit
  • Audit’s purpose
  • Introduction of the audit contractor (currently, KPMG)
  • Contact information for questions

An example of the sample letter may found here:

  1. Audit Contractor Letter

The letter from the contractor will include the following:

  • Introduction to the audit team
  • Provide timeline for the audit process
  • Describe initial document and information requests and provide a deadline for response
  • Schedule a pre-audit conference call to discuss the on-site audit process and requirements
  1. On-Site Audit

Several auditors will show up on-site at the entity to commence the audit process. There will be operational reviews, policies, and procedural reviews as well as interviews with personnel. This step usually takes several days.  The auditors will look for compliance not only in terms of what is currently being done, but may also look at documentation of compliance dating back to the effective date of the HIPAA Privacy or HIPAA Security Rule, as applicable.

In addition, the entity may receive additional follow-up questions once the on-site audit is complete.

The auditors then will compile a draft report and send it to the entity for review. The entity will have the opportunity to comment. In view of any comments by the entity, the auditor will either keep the original report or amend the report. It will then forward the report and any comments from the entity to OCR for disposition. OCR will then decide on the outcome of the audit.

Several outcomes may be possible: (1) OCR may specify certain items which the entity needs to correct and ask for voluntary remediation of these issues; (2) if there are significant issues which are identified in the report that needs to be addressed, then a resolution agreement will be reached with the entity with agreed-upon changes in policies and procedures for HIPAA compliance; or (3) if there are serious deficiencies, then OCR may make the determination that further investigation or review is required. For this latter option, OCR will make the investigation or review and it may also determine that the entity is in willful neglect and impose significant fines (as authorized by the HITECH Act).

An initial set of 20 entities have already been audited.  It is anticipated that another 130 entities will be randomly selected as part of this pilot program.  These entities may include larger providers and payors with more than $1 billion in revenue and/or assets, large regional hospital systems, community hospitals, ambulatory surgery centers, regional pharmacies, community pharmacies, and small healthcare providers.

All covered entities and business associates must comply with the HIPAA Privacy and Security Rule.  They must have a compliance officer and policies and procedures in place as well as documentation on how continuing compliance is being achieved.