The acronym “HIPAA” has become a household name since the enactment of the Health Information Portability and Accountability Act of 1996, which, among other things, established rules for protecting and securing patients’ health information. In fact, it is not uncommon to hear about breaches of patient information costing healthcare providers and suppliers six and seven figure civil monetary penalties or settlements. Typically, such settlements and penalties have arisen out of patient complaints that the privacy of their protected health information (PHI) has been compromised. However, beginning November 2011, patient complaints will not be the only way in which the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) will learn about non-compliant entities.Section 13411 of the American Recovery and Reinvestment Act of 2009, which established the Health Information Technology for Economic and Clinical Health (HITECH) Act, requires the Secretary of HHS to “provide for periodic audits to ensure...