To implement the HITECH Act’s mandate for the HHS Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. The pilot phase will include an initial 20 audits between November 2011 and April 2012, with the remaining audits scheduled to conclude by December 2012. In the pilot phase, OCR plans to audit covered individual and organizational providers of health services, health plans, and health care clearinghouses; business associates will be included in future audits. During the pilot, every audit will include a document production and onsite visit, and will result in an audit report. OCR will notify a selected covered entity in writing and request documentation of the covered entity’s privacy and security compliance efforts. The covered entity must comply within 10 business days. OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between three and 10 business days. After fieldwork is completed, the auditor will provide the covered entity with a draft final report. Selected covered entities will then have 10 business days to review the report and provide written comments to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Significantly, OCR will not post a listing of audited entities or the findings of an individual audit that clearly identifies the audited entity.