Companies that qualify as a “Covered Entity” or “Business Associate”  under the Health Insurance Portability and Accountability Act (“HIPAA”) should take note of the U.S. Department of Health and Human Services (“HHS”) pilot HIPAA audit program.
Under Section 13411 of the HITECH ACT, HHS must conduct periodic audits to ensure that Covered Entities and Business Associates comply with HIPAA’s Privacy and Security Rules and Breach Notification Standards. To meet this requirement, HHS is conducting a pilot HIPAA audit program in which it will audit up to 150 Covered Entities from November 2011 through December 2012. Business Associates are not included in this initial audit, but they will be included in subsequent audits.
HHS will select a wide range of Covered Entities to audit, including individual and organizational providers of health services, health plans of all sizes and functions and health care clearinghouses. KPMG developed the audit protocols, and it will audit the 150 Covered Entities and generate reports for HHS. The audits are designed to generate information about HIPAA compliance and will assess both vulnerabilities and best practices. HHS will make its findings with respect to best practices public, but it will not publish lists of audited Covered Entities or specific findings that identify particular Covered Entities.
Impact on Covered Entities and Business Associates
Although only a small number of Covered Entities will be audited in 2011-2012, the audit will generate a list of best practices that Covered Entities should implement going forward. After the best practices list is published, Covered Entities should review their internal policies, training processes and Business Associate agreements and modify them, if necessary, to conform with best practices.
The best practices list will also likely contain suggestions that Business Associates should incorporate into their internal policies, training procedures and Business Associate agreements in preparation for the Business Associate audits which are likely to begin in 2013.
If you have any questions about whether your company must comply with HIPAA or how the HIPAA audit program may impact your company, please contact Helen Christakos at firstname.lastname@example.org.
 ”Covered Entity(ies)” are defined under 45 CFR 160.103 as: (1) health plans; (2) health care clearinghouses; or (3) certain health care providers who transmit any health information in electronic form in connection with certain transactions.
 ”Business Associate(s)” are defined under 45 CFR 160.103 as entities that perform “certain functions or activities that involve the use or disclosure of protected health information on behalf of, or [provide] services to, a Covered Entity.” See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html
Also of Interest
- Bloomberg Business: Moriarty Returns for “Taking Stock” ETFs & Bitcoin Podcast September 22, 2016 • Media Mentions
- On the Road to a Safe and Secure Internet of Things: What Companies Should Do September 19, 2016 • Articles
- O’Keefe Featured in the Daily Journal on the 2016 Proxy Season September 15, 2016 • Media Mentions
- Pro Bono Team Advances CodeEd’s Comp Sci Efforts for Coeds September 14, 2016 • Client Successes
- SEC Proposes Exhibit Hyperlink Requirements September 8, 2016 • Client Alerts
- Consumer Products: Adapting to Innovation Fall 2016 • Reports / Newsletters
- ILS and Zinsser Analytic Shareholders Sell to Gardner Denver Medical September 2, 2016 • Client Successes
- Kaye Scholer Secures Dismissal of Merger-Related Class Action Against Baltic Trading September 1, 2016 • Client Successes
- Kaye Scholer Advises Veracen on Merger of Equals with Turner Investments August 31, 2016 • Client Successes