News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Discusses Phase Two of HIPAA Audit Program 

Healthcare Info Security 
July 13, 2016

Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a July 12 Healthcare Info Security article about the U.S. Department of Health and Human Services’ (HHS) selection of 167 health care entities for the second phase of the Health Insurance Portability and Accountability Act (HIPAA) audit program. The organizations were notified of the audits by HHS’ Office for Civil Rights (OCR) on July 11, and they must submit the required documentation by July 22, according to the article. The remote desk audit will review compliance with the HIPAA privacy, security, and breach notification rules.

HIPAA-covered entities that have received the desk audit requests are “in for a real challenge,” Mr. Nahra said. “The 10-day turnaround is very fast, and the requests are very document-intensive.”

While OCR says it reserves the right to take enforcement action based on audit results, “it has also made clear that the purpose of the audit program is guidance and education, not enforcement,” Mr. Nahra said. If the audits do lead to any enforcement, it will be limited to “extreme/unusual situations where there is a total failure of compliance. No one should look forward to the audit, but the major challenge will be timely responses, not any resulting enforcement.”

For all health care entities and business associates, “this is a good reminder to get your policies and procedures in place,” Mr. Nahra said. “OCR asks for many of the same documents in an actual investigation, so having these ready now will help you both for an audit and for the more threatening event of an actual investigation.”

To read the full article, please click here.