By: Cynthia C. Anderson
As part of its obligations under the HITECH Act, the Department of Health and Human Services Office for Civil Rights (OCR) is required to provide for periodic audits to ensure that covered entities and business associates are complying with the Privacy and Security Rules. Last June, HHS awarded a contract to KPMG to audit covered entities’ and business associates’ compliance with the HIPAA Privacy and Security requirements. The audit program will consist of up to 150 audits. It began in November 2011 and will continue through December 2012. Every covered entity and business associate is eligible to be audited and OCR has stated that its intent is to audit as wide a range of types and sizes of entity as possible.
Entities selected for audit will be notified of their selection and asked to provide documentation of their privacy and security compliance efforts. The entity will be expected to provide the documentation requested within ten business days of the request. A site visit will then be conducted which is projected to last for three to ten days, depending on the size and complexity of the entity and the auditor’s need to access materials and staff. After the site visit, a draft final report will be prepared and sent to the entity. The entity will have ten days to review the report and provide written comments back to the auditor. The auditor will then complete a final report within 30 days after receipt of any comments and submit it to OCR. While the general purpose of the audit is for OCR to learn about entities’ compliance efforts, it is likely that if major violations are found on the audit, this will lead to formal enforcement action by OCR.
Covered entities and business associates should take the prospect of an audit very seriously. While the likelihood of being subjected to an audit at this time may be small, a significant number of entities will be targeted, and it is likely that there will be further audit programs in the future. This may be an opportune time for an entity to review its HIPAA compliance program and documentation, and implement a risk analysis process to identify and address any potential gaps in privacy-related areas.