News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Comments on New Guidance for HIPAA Desk Audits

Healthcare Info Security 
July 29, 2016

Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a July 28 Healthcare Info Security article about the new federal guidance for Health Insurance Portability and Accountability Act (HIPAA) desk audits, which require heavy documentation. 

According to the article, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) on July 11 sent HIPAA audit notification letters to 167 covered entities, asking them to submit requested compliance documentation for the desk audits within 10 days.

Mr. Nahra questioned the timing of the HIPAA audit guidance, since it was issued after the deadline had already passed. “Somewhat weird timing, but presumably the target audience for this information is ‘everyone else,’ rather than the entities being audited.”

The documents “show how intricate the audit requests are and how complicated it may be to provide everything that OCR thinks [organizations] should have,” Mr. Nahra said.

Through this new audit guidance, and the “incredibly complicated audit protocol,” OCR is sending the message that it “really expect[s] a ton of documentation of these activities, at very detailed levels,” he added.

“Many organizations—particularly when the audits turn to business associates—will not have this kind of documentation at this kind of detailed level,” Mr. Nahra said. “I hope that OCR learns that its expectations about documentation may exceed the capacity of the health care industry and its contractors to prepare this kind of documentation.

To read the full article, please click here.