The Department of Health and Human Services (HHS) recently announced a new initiative to audit covered entities, including health plans, and their business associates for compliance with the HIPAA privacy and security rules. The HHS Office of Civil Rights (OCR) has begun to obtain and verify contact information that it will use to identify covered entities and business associates that will be audited. OCR also has issued a 420-page “Audit Protocol” that goes into detail about the types of questions that may be asked or documents that may be requested. The Audit Protocol is broken out into three “audit types”: (1) HIPAA Privacy, (2) HIPAA Security, and (3) Security Breaches.
The attached memo summarizes the details we know so far about the audit process, including the information about selection of candidates, the audit timeline, and anticipated next steps in the event of audit findings. Please see the attached memo for further information.