Companies that qualify as a “Covered Entity” or “Business Associate”  under the Health Insurance Portability and Accountability Act (“HIPAA”) should take note of the U.S. Department of Health and Human Services (“HHS”) pilot HIPAA audit program.
Under Section 13411 of the HITECH ACT, HHS must conduct periodic audits to ensure that Covered Entities and Business Associates comply with HIPAA’s Privacy and Security Rules and Breach Notification Standards. To meet this requirement, HHS is conducting a pilot HIPAA audit program in which it will audit up to 150 Covered Entities from November 2011 through December 2012. Business Associates are not included in this initial audit, but they will be included in subsequent audits.
HHS will select a wide range of Covered Entities to audit, including individual and organizational providers of health services, health plans of all sizes and functions and health care clearinghouses. KPMG developed the audit protocols, and it will audit the 150 Covered Entities and generate reports for HHS. The audits are designed to generate information about HIPAA compliance and will assess both vulnerabilities and best practices. HHS will make its findings with respect to best practices public, but it will not publish lists of audited Covered Entities or specific findings that identify particular Covered Entities.
Impact on Covered Entities and Business Associates
Although only a small number of Covered Entities will be audited in 2011-2012, the audit will generate a list of best practices that Covered Entities should implement going forward. After the best practices list is published, Covered Entities should review their internal policies, training processes and Business Associate agreements and modify them, if necessary, to conform with best practices.
The best practices list will also likely contain suggestions that Business Associates should incorporate into their internal policies, training procedures and Business Associate agreements in preparation for the Business Associate audits which are likely to begin in 2013.
If you have any questions about whether your company must comply with HIPAA or how the HIPAA audit program may impact your company, please contact Helen Christakos at firstname.lastname@example.org.
 ”Covered Entity(ies)” are defined under 45 CFR 160.103 as: (1) health plans; (2) health care clearinghouses; or (3) certain health care providers who transmit any health information in electronic form in connection with certain transactions.
 ”Business Associate(s)” are defined under 45 CFR 160.103 as entities that perform “certain functions or activities that involve the use or disclosure of protected health information on behalf of, or [provide] services to, a Covered Entity.” See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html
Also of Interest
- Tax Alert: Final Debt Regulations Have Limited Scope of Application November 30, 2016 • Client Alerts
- Golodner Quoted in IFLR on Proposed NYS Digital Security Laws November 29, 2016 • Media Mentions
- Best Lawyers Profiles Frankle as “Lawyer of the Year” November 28, 2016 • Media Mentions
- Fallon Appointed to the University at Albany Presidential Search Committee November 22, 2016 • Recognitions
- Fintech Term Sheet Negotiations: Key Issues Beyond Price November 21, 2016 • Articles
- JUVE Handbuch Recommends Frankfurt Office and Lawyers November 14, 2016 • Recognitions
- Using Technology Service Providers Is No Silver Bullet November 7, 2016 • Articles
- Kaye Scholer Advises Bregal, Motion Equity in Morrison Utility Services Sale November 7, 2016 • Client Successes
- Pitfalls of Present-Day Contracts: Hyperlinked Contract Terms November 7, 2016 • Articles