The Department of Health and Human Services (HHS) is required by the American Recovery and Reinvestment Act of 2009 to provide periodic audits to ensure covered entities are in compliance with the privacy and security rules of HIPAA. To satisfy the requirements under the Act, HHS’ Office for Civil Rights (OCR) initiated its pilot program to perform HIPAA audits of covered entities. OCR has awarded KPMG with the contract to conduct the audits. The audits under the pilot program are scheduled to begin this month and continue until the end of 2012. HHS believes that these audits “present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews”
The first round of the pilot program will consist of 20 audits targeting covered entities of various sizes and specialties throughout the healthcare industry. The selected entities will be notified, in writing, by OCR that they have been selected for an audit. The written notification will explain the audit process and will also ask the entity to provide OCR with documentation of their privacy and security compliance efforts. The time allotted for the selected entities to satisfy the initial documentation request is 10 days. After OCR receives the requested documentation, entities will be notified that an onsite visit will be conducted. The onsite visit will likely take place between 30 and 90 days after the entity has been notified of the visit. Upon completion of the visit, the entity will be provided with a draft final report. Once received, the entity is given the opportunity to provide the auditor with written comments. After reviewing the entity’s comments, the auditor will submit a final audit report to OCR.
OCR plans to use the findings in the audit report to determine what types of technical assistance should be developed, and which types of corrective actions are most effective. By the end of 2012, OCR plans to conduct as many as 150 audits. The pilot program will be used by OCR to determine the most successful methods for conducting HIPAA audits in the future.
If you have any questions regarding HIPAA audits, or have concerns pertaining to your current compliance methods, please contact a Wachler & Associates attorney at 248-544-0888.