HIPAA Privacy & Security Audit Program

December 1, 2012

The American Recovery and Reinvestment Act of 2009 (ARRA), in Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH), requires the U.S. Health and Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, the Office for Civil Rights (OCR) piloted a program to perform 115 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase began in November 2011 and will conclude in December 2012.