December 1st signaled the next installment in OCR’s enforcement of the HIPAA Privacy & Security Rules with the long-anticipated launch of its random Audit Program. Letters to all of the organizations selected as part of the initial Pilot “first ” 20 were sent on this day. That group included providers both large and small, payers both large and small and at least two clearing houses. The provider mix was made up of Physician Practices, Hospitals, a laboratory, a Dental group, a Nursing & Custodial Care organization and a Pharmacy.

Audited entities were given 10 days from the date of the letter to provide documentation concerning the HIPAA Security Rule, the HIPAA Privacy Rule and the Breach Notification Rule to the Audit Team. The list of documents requested was part a three page attachment to the letter that explained the audit process, requested contact information and identified the audit team and Program Manager. In addition, there was a cover Letter from HHS/OCR informing the organization that it had been selected for audit and describing the process and audit contractor’s role.

The actual on-site audit process is expected to happen some time after mid January. Shortly after the letters arrived the Audit Team scheduled a conference call with each recipient to make formal introductions, explain the process, identify logistical requirements for the upcoming on-site visit and solicit any questions from the audit sites. The on-site portion of the audit, according to the letter, can last 6-10 days depending on the size and complexity of the entity audited and the team will consist of 3-5 audit members. During the follow-on “Introductory Conference Call” expectations were set as to the size of the team and length of time that would be expected to complete the on-site survey of the audit. Following the completion of the on-site audit, a report will be developed and provided back to the audited entity for review/comment. After receiving comments back from the audited entity, the Audit Team will forward both the report and the sites comments to OCR for disposition.

What is unknown at this time is what standard the Audit Team will use to measure compliance or how wide and deep their audit focus will be. Based on CynergisTek’s review of the Checklist and the letter, it appears that it will minimally address HIPAA security and privacy and the Breach Notification Rule under HITECH.