In 2015, the United States Department of Health & Human Services (HHS) Office of Civil Rights (OCR) will begin enforcing the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) through random audits. Covered entities (including health care providers, health plans, and health care clearing houses) as well as business associates (including certain vendors that provide services for covered entities) are subject to being randomly selected for an audit.

The audit program comes as the result of Section 13411 of the HITECH Act, which requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR is tasked with enforcing these rules. A pilot audit program was established and conducted in November 2011 through December 2012, which led to the audit of 115 covered entities by KPMG on behalf of OCR. OCR has provided an on-line summary of results of the pilot audit program. Such results reveal that a majority of the compliance issues were related to the HIPAA Security Rule.

Phase 2 of the audit program was expected to resume in the fourth quarter of 2014. However, on September 9, 2014, OCR’s health information privacy senior adviser, Linda Sanches, announced the audits would be delayed until 2015 in order for OCR to implement a new web portal to collect and analyze audit data. OCR intends to have both business associates and covered entities audited during Phase 2 of the audit program. Ms. Sanches stated that OCR had initially intended to do 400 desk audits during Phase 2 of the program, but has since decided to shift over half of the intended desk audits into on-site comprehensive audits due to additional funding received and new technology.

OCR has also indicated that the 2015 audits will have a strong focus on completion of periodic risk analyses and follow-up risk management actions (as required under the HIPAA Security Rule), content and timeliness of breach notifications (as required under the HIPAA Breach Notification Rule), and notice of privacy practices and patient access rights (as required under the HIPAA Privacy Rule).

Before the 2015 Phase 2 audits commence, OCR will conduct a pre-screening survey of covered entities and business associates that are potential candidates for the Phase 2 audits that will involve completion of a questionnaire through a newly developed OCR portal. Unlike with the audit pilot program that was conducted by a contractor (KPMG), OCR personnel will be conducting the Phase 2 audits.

To prepare for the upcoming audits, covered entities and business associates should, at a minimum, ensure the following steps have been taken:

1. In the case of a covered entity, provide the entity’s form of Notice of Privacy Practices to every patient and have updated such NPP to reflect the changes under the HITECH Act Omnibus Final Rule (the “Final Rule”) (released in January 2013).

2. Have written and signed business associate agreements with all entities considered a business associate that reflect the changes under the Final Rule.

3. Conduct an accurate and thorough assessment of the risks to electronic protected health information (“ePHI”).

4. Implement required physical, technical and administrative safeguards to protect ePHI.

5. Have formal policies and procedures for the privacy and security of protected health information.

6. Train all employees on privacy and security policies and procedures.

7. Maintain all documentation required under HIPAA, including documentation of all employee training, disclosure logs, documentation of all breach analyses, etc.

If you are interested in learning more about preparing for the 2015 HITECH Act audits, you can attend a complimentary webinar offered on January 15th, 2015 at 1 p.m. (E.T.) by registering through the following link: