Indiana Security & Privacy Network

Feds ask firms about HIPAA audit experience

March 20, 2013

By Joseph Conn Posted: March 20, 2013 – 12:01 am ET The top federal healthcare privacy and security regulator wants to know what officials from more than 100 organizations that have undergone privacy and security audits thought of the process and what can be done to improve it. The office will ask leaders from all audited organizations—which included health plans, healthcare claims clearinghouses and providers—to complete an online survey asking them to “measure the effect,” including its costs, on their operations, and “gauge their attitudes towards the audit overall,” according to a notice of an official “information collection” activity (PDF) to be published in the Federal Register by the Office for Civil Rights at HHS. The civil rights office, the chief enforcer of the privacy and security rules under the Health Insurance Portability and Accountability Act, was given the added task of conducting random privacy and security rule compliance audits under the more stringent HIPAA rules revisions contained in health information technology provisions of the American Recovery and Reinvestment Act of 2009. The office wrapped up its first round of 115 audits under the new law in December. There is no word yet when a final report on the results of those audits will be released, according to a civil rights office spokeswoman Wednesday, but in an earlier interview, OCR Director Leon Rodriguez said “a good number of them” indicated providers had not performed HIPAA-required security risk analyses. The office estimates that responding to the survey will take about two hours for each of the organizations to complete.

Learn more