The Office for Civil Rights ("OCR") of the Department of Health and Human Services has announced an audit initiative under which it intends to conduct audits of up to 150 covered entities to review compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  The audit will focus on the HIPAA privacy and security requirements.  The OCR will select a broad range of entities, including health plans and health care providers of all sizes.  HIPAA audits begin immediately.

Group health plan sponsors and health care providers should carefully review their HIPAA compliance programs.  Keep in mind that HIPAA mandates training of individuals who have access to protected health information.  Failure to train (and to properly document training) could result in significant liability.  

Similarly, failure to have compliant documents, notices, practices and procedures could subject the covered entity to substantial penalties and well as requirements to provide notification of breaches of the HIPAA requirements. 

HIPAA mandates training. . . audits begin immediately.

Plan sponsors should examine all business associate relationships.  They should ensure too that they have updated their documents and properly documented all relationships.