For healthcare managers, providers and caregivers! By sharing quality information and resources, we help achieve affordable Healthcare and a balanced Work Life, enabled by trusted Technology, electronic records, and secured access to private health information.

When is the HIPAA audit start?

Will you be the target of an HHS Office of Civil Rights (OCR) HIPAA privacy and security audit? 

The HITECH Act requires HHS to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules. To implement this mandate, OCR is piloting a program to perform up to 150 audits of covered entities for compliance. Audits conducted during the pilot phase will begin November 2011 and conclude by December 2012.

All health care providers, health plans of all sized and functions, health care clearinghouses and business associates may be selected for an audit. OCR will select and audit as wide a range of types and sizes of covered entities as possible.  Business Associates will be included in future audits.  

OCR will use this pilot audit program to examine the mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that haven’t otherwise come to light. All audits will include site visits and the issuance of audit reports.

When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The OCR notification letter will introduce the audit contractor, explain the audit process, and describe initial document and information requests.  It will also specify how and when to return the requested information to the auditor. The requested information are to be provided within 10 business days.

OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. After fieldwork is completed, the auditor will provide the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.


  1. Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.

    Management Audit