Under the HITECH Act, the Department of Health and Human Services (HHS) is mandated to conduct periodic audits to ensure that HIPAA covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.

HHS’ Office for Civil Rights (OCR) recently published a notice in the Federal Register in which it announced the return of its HIPAA Audit Program. An announcement was made that it will be submitting an Information Collection Request (ICR), which is in accordance with their HIPAA Audit Program Survey titled "HIPAA Covered Entity and Business Associate Pre-Audit Survey". This request will be sent to the Office of Management and Budget (OMB) to be approved under the Paperwork Reduction Act of 1995. Through this request, the OMB is looking for feedback on the proposed HIPAA survey, and how it might affect businesses.

It plans to survey up to 1200 HIPAA covered entities (health plans, healthcare clearinghouses, certain healthcare providers) and business associates to determine suitability for the OCR’s HIPAA Audit Program. Questions in the survey will likely relate to data such as the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

Once the survey has been concluded, the next step for the OCR is to bring back the HIPAA Audit Program, which has been inactive since its pilot HIPAA audit program in December of 2012.

OCR’s pilot audit program was held in 2011-12. Since then, it has been evaluating the audit program and revising the audit protocols to reflect changes made to the Rules by the HIPAA/HITECH Act Omnibus Rule. The pilot audit program only audited the compliance of covered entities, while the new program will be auditing both covered entities and business associates.

This next round of HIPAA compliance audits is expected to be more focused and targeted on high priority issues – rather than the broad-based audits of the pilot program. OCR has recently indicated that its future audits would most likely focus on key areas of concern identified by new initiatives, enforcement concerns, and Departmental priorities.