Skip to main content

Attention HIPAA Covered Entities: Keep an Eye on Your Mailbox....

Written by Dianne Bourque

The HHS Office of Civil Rights has begun notifying the 150 covered entities chosen for its first round of audits under HITECH, and it has posted a sample audit notification letter.    

If your organization receives one of these letters, immediate attention is critical.  You may have as few as ten days to respond to documentation requests accompanying the audit notification.  Requested documentation will likely include policies and procedures, forms, evidence of HIPAA privacy and security program implementation (such as documentation of completed training), and other documentation required by the HIPAA privacy rule and security standards.  A site visit may occur as soon as thirty days following the audit notification letter.  During a site visit, auditors will interview key personnel and observe your business operations to evaluate compliance. 

Don’t wait until you receive an audit notification letter to evaluate your HIPAA compliance program. There is never a good time to have a gap in your program, but the stakes are even higher in the post-HITECH world.

Subscribe To Viewpoints


Karen S. Lovitch

Chair, Health Law Practice & Co-Chair, Health Care Enforcement Defense Practice

Karen advises industry clients on regulatory, transactional, operational, and enforcement matters. She has deep experience handling FCA investigations and qui tam litigation for laboratories and diagnostics companies.
Dianne specializes in counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, and counsels health care clients on the HIPAA Privacy Rule and Security Standards.