Skip Navigation

HIPAA Privacy & Security Audit Program

Overview:  The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To implement this mandate, OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance.   Audits conducted during the pilot phase  began November 2011 and concluded in December 2012. Click here for more information about the pilot program.