The U.S. Department of Health and Human Services (HHS) recently posted a formal announcement on its website about a new audit program it was launching under the Health Insurance Portability and Accountability Act (HIPAA). The audits will be run under the Office for Civil Rights (OCR), the division within HHS that is responsible for enforcing HIPAA’s Privacy and Security Rules. According to the announcement, OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, identify best practices, and discover previously unknown risks and vulnerabilities. OCR is expected to share best practices developed through the audit process publicly.
HHS has entered into a contract with KPMG, under which KPMG will be working with the HHS to conduct the audits. Under the program, the OCR expects to conduct up to 150 audits, commencing in November 2011 and expected to run through December 2012. This initial group of audits is being referred to as the pilot phase.
Every covered entity and business associate is eligible for an audit. HHS indicates that it intends to audit a wide a range of types and sizes of covered entities, including covered individual and organizational providers of health services, health plans of all sizes, and healthcare clearinghouses. Business associates will be included in later audit programs.
Entities selected for an audit will be notified by OCR and asked to provide documentation concerning their privacy and security-compliance efforts. Every audit during the pilot phase will include a site visit, including interviews with key personnel and a review of processes to measure compliance, and will conclude with the preparation of an audit report. The auditors are expected to allow the audited entities an opportunity to review a draft audit report before completion. The final report submitted to OCR will review the steps the audited entity has taken to resolve any compliance issues identified by the audit, and also will describe any best practices the entity has developed.
In turn, HHS representatives will review the completed audit reports and will use the findings in those reports for developing future guidance and corrective programs. The HHS has reserved the right to initiate a compliance review against any audited entity in the event that an audit report indicates a serious compliance issue.