Beginning this month, the Office for Civil Rights will begin auditing Covered Entities and Business Associates in order to gauge their level of compliance with regard to the HIPAA Privacy and Security Rule and Breach Notification Standards.  These audits, called for under the HITECH Act by the Department of Health and Human Services, will be part of a pilot program to be conducted through December 2012 intended to determine if guidelines relating to privacy are being followed. 

The OCR plans to audit 150 Covered Entities and Business Associates and everyone is eligible.  The audit team will review policies, procedures, practices, systems, operations, and infrastructures.  A final report will include specific recommendations to address identified problems and a corrective plan.  Under this program the OCR will determine what types of corrections are most effective for adhering to guidelines.

Covered entities are health care providers and business associates are companies who receive Protected Health Information (PHI) in the course of providing their services for the covered entity.  BA’s are now directly "on the compliance hook" since they are required to comply with the safeguards contained in the Security Rule (SR). 

A breach, for purpose of this article, means the unintended use, access, or disclosure of PHI which can compromise the security or privacy of a patient and imposes significant financial, reputational, or other risks to a patient.  HITECH requires that patients be notified of any unsecured breach of their PHI.   

This is a pilot program and these audits are intended to create tools to better protect patient  information.  I have absolutely no doubt that once this trial period is over and new tools are created, HITECH will enforce guidelines.  Even though everyone will need to comply with these guidelines, at least we can all agree nobody would want their own personal medical history exposed.