HIPAA-Covered Health Plans Beware: HHS Office of Civil Rights Kicks Off HIPAA Audit Program

By John Hickman and Johann Lee

Alston & Bird, LLP

Since November 2011, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has been conducting audits of covered entities for compliance with the privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act (collectively, the “Privacy & Security Rules”). This audit initiative is known as the “HIPAA Audit Program.” While the IRS and the Department of Labor have conducted audits with respect to HIPAA’s portability requirements in the past, the HIPAA Audit Program is a new enforcement effort for HHS/OCR, which until now relied mainly on complaint-based investigations and reviews. This article summarizes the HIPAA Audit Program as we currently understand it and provides some basic compliance reminders that may be helpful in preparing for such an audit.