Audit Pilot Program

OCR initiated a pilot program in 2012.

Program Objectives: The audit program served as a part of OCR’s health information privacy and security compliance program. OCR used the audit program to assess HIPAA compliance efforts by a range of covered entities, Audits present a new opportunity to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.

About the Audit Pilot

The pilot audit program was a three-step process. The first step entailed developing the audit protocols. Next, a limited number of audits was conducted in an initial wave to test these protocols. The results of the initial audits informed how the rest of the audits were conducted. The last step included conducting the full range of audits using revised protocol materials. All audits in this pilot were completed by the end of December, 2012.

 Timeline of the audit pilot program's three-step process

Who Was Audited?

Every covered entity and business associate was eligible for an audit. Selections in the initial round were designed to provide a broad assessment of a complex and diverse health care industry. OCR was responsible for selection of the audited entities. OCR audited as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses could all be considered for an audit. We expected covered entities to provide the auditors their full cooperation and support and reminded them of their cooperation obligations under the HIPAA Enforcement Rule.

Business Associates will be included in future audits.

The Audit Process

The privacy and security performance audit process included generally familiar audit mechanisms. Entities selected for an audit were informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit included a site visit and resulted in an audit report. During site visits, auditors interviewed key personnel and observed processes and operations to help determine compliance. Following the site visit, auditors developed and shared with the entity a draft report; audit reports generally described how the audit was conducted, what the findings were and what actions the covered entity took in response to those findings. Prior to finalizing the report, the covered entity had the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR  incorporated the steps the entity had taken to resolve any compliance issues identified by the audit, and described any best practices of the entity.

Infographic showing the timeline for an audit
References to days are in business days.

What was the General Timeline for an Audit?

When a covered entity was selected for an audit, OCR notified the covered entity in writing. The OCR notification letter introduced the audit contractor, explained the audit process and expectations in more detail, and described initial document and information requests. It also specified how and when to return the requested information to the auditor. OCR expected covered entities and business associates who were the subject of the audit to provide requested information within 10 business days of the request for information.

OCR notified selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits took between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. After fieldwork was completed, the auditor provided the covered entity with a draft final report; a covered entity had 10 business days to review and provide written comments back to the auditor. The auditor completed a final audit report within 30 business days after the covered entity’s response and submitted it to OCR.

What Happened After an Audit?

Audits were primarily a compliance improvement activity. OCR reviewed the final reports, including the findings and actions taken by the audited entity to address findings. The aggregated results of the audits enabled OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR used the audit reports to determine what types of technical assistance should be developed and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR could initiate a compliance review to address the problem. OCR did not post a listing of audited entities or the findings of an individual audit which clearly identified the audited entity.

How Are Consumers Affected?

The audit program represents one more avenues by which OCR ensures compliance with HIPAA protections of health information to the benefit of consumers. For example, the audit program could have uncovered reasons many health information breaches are occurring and help OCR create tools for covered entities to better protect individually identifiable health information. Concerns about compliance identified and corrected by an audit will serve to improve the privacy and security of health records. The technical assistance and best practices that OCR generates will also assist covered entities and business associates in improving their efforts to keep health records safe and secure. OCR continues to accept complaints from individuals and covered entities continue to have the obligation to accept complaints from persons about their HIPAA Rule activities.

Did audits differ depending on the size and type of covered entity?

The audit protocol was designed to work with a broad range of covered entities. The audit procedures varied depending on the size and complexity of the entity being audited.

Did auditors look at state-specific privacy and security rules in addition to HIPAA's Privacy, Security, and Breach Notification Rules?

No, the scope of the audit program did not extend beyond the Privacy, Security, and Breach Notification Rules.

Who was responsible for paying the on-site auditors?

The Department entered into a contract with the audit contractor to conduct the audits on its behalf. Covered entities were not responsible for remuneration of the auditing firm.

Auditee Selection

For the pilot phase of the audit program, OCR identified a pool of covered entities for audits that broadly represent the wide range of healthcare providers, health plans, and healthcare clearinghouses that operate. Using this spectrum of audit candidates permitted OCR to assess HIPAA compliance in a variety of entities with unique operating environments and relationships with patients. Among the specific criteria used to select particular candidates were whether the entity is public or private, the size of an entity, affiliation with other healthcare organizations, the type of entity and relationship to patient care, and past and present interaction with OCR concerning HIPAA enforcement and breach notification. OCR also considered geographic factors in the selection process.

Entities that received notification letters


Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013