HIPAA Privacy Audit


Under provisions of the American Recovery and Reinvestment Act of 2009, the U.S. Department of Health and Human Services (HHS) is required to conduct audits to validate that covered entities and business associates are adhering to the HIPAA Privacy guidelines. HHS will perform up to 150 audits to measure compliance standards. A pilot phase is already underway with 20 audits being conducted. The information learned from the initial period will be applied during the rest of the audits. The pilot program is slated to end December 2012. HHS intends to “audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit.”

If an entity does get selected for a HIPAA Privacy audit, it will be contacted by HHS and will have to submit the requested documentation within 10 days of receipt of the letter. Auditors will be present for a site visit between 30-90 days after notification and draft an initial report which can be discussed with the entity before a final report is issued. The final report will detail any compliance issues, how they were resolved and any best practices by the entity. The information collected during the pilot program will help develop future technical assistance. There will not be a public posting of which entities were involved as the audits are “primarily a compliance improvement activity.”

For more information go to: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html.


Any questions, contact your WGA Client Executive or Client Service Manager or email compliance@wgains.com.