skip to main content


OCR Begins Pilot Phase of HIPAA Privacy and Security Audit Program

November 17, 2011

Authors: Joan W. Feldman, John H. Lawrence, Vincenzo Carannante, William J. Roberts

The Department of Health and Human Services Office for Civil Rights (“OCR”) is beginning the pilot phase of its HIPAA Privacy and Security Audit Program this month and expects to audit up to 150 covered entities between now and December 2012.  During the pilot phase, OCR will test and evaluate the audit protocols it recently developed, highlight best practices, and identify compliance risks and vulnerabilities.  Information obtained during the pilot phase will inform and guide OCR as it conducts future HIPAA compliance audits of both covered entities and business associates. OCR also intends to share lessons learned from the pilot phase, including best practices, with HIPAA-regulated entities.  While the pilot phase audits are primarily for informational purposes, OCR reserves the right to take enforcement actions in the event serious compliance deficiencies are discovered. To view additional information about OCR’s audit program, including the audit protocols and an audit timeline, please visit

© Shipman & Goodwin LLP, 2019. All Rights Reserved.