Skip to main content

Attention HIPAA Covered Entities: Keep an Eye on Your Mailbox....

Written by Dianne Bourque

The HHS Office of Civil Rights has begun notifying the 150 covered entities chosen for its first round of audits under HITECH, and it has posted a sample audit notification letter.    

If your organization receives one of these letters, immediate attention is critical.  You may have as few as ten days to respond to documentation requests accompanying the audit notification.  Requested documentation will likely include policies and procedures, forms, evidence of HIPAA privacy and security program implementation (such as documentation of completed training), and other documentation required by the HIPAA privacy rule and security standards.  A site visit may occur as soon as thirty days following the audit notification letter.  During a site visit, auditors will interview key personnel and observe your business operations to evaluate compliance. 

Don’t wait until you receive an audit notification letter to evaluate your HIPAA compliance program. There is never a good time to have a gap in your program, but the stakes are even higher in the post-HITECH world.

Subscribe To Viewpoints


Karen S. Lovitch

Member / Chair, Health Law Practice

Karen S. Lovitch is a Mintz attorney who represents health care companies in regulatory, transactional, and operational matters. She advises them on health care regulations such as the Stark Law and the Clinical Laboratory Improvement Amendments of 1988.
Dianne J. Bourque advises health care clients on licensure, regulatory, contractual, risk management, and patient care matters for Mintz. Dianne counsels researchers and research sponsors on FDA and OHRP regulations. She also counsels clients on data privacy issues, including HIPAA standards.