OCR Starts HIPAA Privacy Audits

The HHS Office for Civil Rights during November will begin HIPAA audits to assess covered entities' compliance with the privacy, security and breach notification rules.

Under a $9 million contract announced in July, consultancy KPMG has developed audit protocols and now will conduct up to 150 audits by the end of 2012. KPMG, ironically, was responsible for two major breaches listed on OCR's public web site of incidents affecting 500 or more individuals. In May 2010, the firm lost an unencrypted flash drive holding protected health information on 956 patients of Newark Beth Israel Medical Center and 3,630 patients at Saint Barnabas Medical Center, both in New Jersey.

The audits will start with 20 "initial" audits to test the new protocols. "The results of the initial audits will inform how the rest of the audits will be conducted," according to a new OCR Web page with information on the program. OCR will focus on auditing covered entities of various sizes and functions in the initial round, with business associates being included in future audits. "We expect covered entities to provide the auditors their full cooperation and support, and remind them of their cooperation obligations under the HIPAA Enforcement Rule."

OCR will notify in writing covered entities selected for an audit. The office does not explain how entities will be selected. The notification will explain the program and describe initial document and information requests, which should be provided within 10 business days. Selected covered entities can expect a site visit between 30 and 90 days after notification.

In general, OCR will use resulting audit reports from KPMG to determine types of technical assistance that should be developed and what types of corrective actions are most effective. "Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem," according to the office. "OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity."

More information, including a sample notification letter, is available here.


For reprint and licensing requests for this article, click here.