Join ADAMember Log In




Government auditing to ensure HIPAA compliance

Up to 150 audits anticipated; every covered entity, business associate eligible

The federal government is conducting audits to ensure medical professionals and businesses are complying with the privacy, security and breach notification provisions of the Health Insurance Portability and Accountability Act.

The periodic audits are part of a pilot program through the U.S. Department of Health and Human Services’ Office for Civil Rights and will continue until December 2012. The audits are required under the Health Information Technology for Clinical and Economic Health Act, which is part of President Obama’s American Recovery and Reinvestment Act of 2009. The HITECH Act also amended parts of HIPAA.

OCR will conduct up to 150 audits and every covered entity and business associate is eligible, according to HHS. The federal agency will select a wide range of types and sizes of covered entities, including covered individual and organizational providers of health services, health plans of all sizes and functions and health care clearinghouses.

“The audit program serves as a new part of the Office for Civil Rights’ health information privacy and security compliance program,” according to the HHS website. “OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities. Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.”

The audits will ultimately help the public by possibly uncovering reasons why health information is breached. By knowing how the breaches occurred, OCR can create tools for covered entities to better safeguard protected health information.

OCR will inform entities selected for an audit and ask them to provide documentation of their privacy and security compliance efforts within 10 days of being notified, according to the website. In the pilot phase, every audit will include a site visit within 30-90 days of initial notification and result in an audit report. During these site visits—which can take three to 10 days—auditors will interview key personnel and observe processes and operations to help determine compliance.

OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective actions are most effective. It will share best practices and guidance on its website, www.hhs.gov/ocr/privacy. The agency will not publicize which entities it is auditing or what its findings in an individual audit are.

The ADA offers several products in its catalog to help dental office staff develop and implement a HIPAA compliance program. The Complete HIPAA Compliance Kit (J598) includes a HIPAA manual, CD-ROM and subscription service (J594) and a HIPAA training CD-ROM (J596). The kit is $300 for members and $450 for nonmembers. The ADA also offers the ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit (J594), $225 for members and $337.50 for nonmembers, which updates and replaces the 2002 HIPAA Privacy Kit and the 2005 Security Kit.

The new ADA Practical Guide to HIPAA Training (J596) offers two levels of training. Level one was designed to help fulfill the training requirement for dental office staff and level two helps managers who are developing and implementing their office’s HIPAA compliance program. The CD-ROM-based training program is $135 for members and $202.50 for nonmembers.

­Save 15 percent on all ADA products with priority code 11219 through Jan. 15. To order, call the ADA Catalog at 1-800-947-4746 or visit www.adacatalog.org to order.

For more information on the HIPAA audits, visit www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html.