HIPAA Pre-Audit Survey Plans Announced

On February 24, 2014, the Department of Health and Human Services (HHS) published a Notice in the Federal Register setting forth its plans to submit an Information Collection Request titled HIPAA Covered Entity and Business Associate Pre-Audit Survey.

In order to allow the Office of Civil Rights (OCR) to fulfill its responsibility to conduct periodic HIPAA audits on both covered entities and business associates, HHS has stated that it intends to issue a pre-audit survey to as many as 1200 HIPAA covered entities and business associates.  The information will be used by the OCR to assess the “suitability” of the respondents for audits.  According to the Notice, the information will allow the OCR “to assess the size, complexity and fitness of a respondent for an audit” and will gather information such as number of patient visits or number of insured lives (in the case of health plans) and will also gather information on the use of electronic information, the revenue of the covered entity and business locations.

It is unclear from the Notice how the 1200 covered entities and business associates will be chosen for the pre-audit survey and what criteria will be used in the selection process when determining which covered entities or business associates will be audited.

One thing is certain – this Notice indicates an important step in OCR’s implementation of a permanent audit program.  Covered entities and business associates should seriously consider taking time to review their HIPAA policies and procedures and conduct or update their security risk assessment so that they are prepared if chosen for an audit.


  1. […] discussed in our previous blog post, HHS-OCR first published the same Notice in the Federal Register on February 24, 2014 with a 60-day […]

Speak Your Mind