As expected, the HHS (the US Department of Health and Human Service) engaged KPMG to conduct the audits while a second vendor was selected to support with the selection criterion for covered entities.

The pilot phase of the program has been announced and provides details on:

  • Audit program objectives: aim is to assess HIPAA compliance efforts by a range of covered entities, mechanisms for compliance and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.
  • Audits start and end dates: OCR expects the initial audits to begin while the last step will include conducting audits using revised protocol materials obtained in initial wave. All audits in this pilot will be completed by the end of the year.
  • Audit scope: will include every covered entity and business associate that will be included in future audits.
  • Audit process details: the audit will include 6 steps relying on familiar audit mechanisms. The audit process starts with the notification letter sent to covered entities. Step 2 is about asking selected entities to provide documentation (privacy and security policies …). Step 3 will include a site visit where auditors will interview key personnel and observe processes and operations. In step 4 auditors will develop and share with the covered entity a draft report which will describe how the audit was conducted, what the findings were and what remediation activities the covered entity is taking in response to those findings. Step 5 is about finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report will be released in step 6 and submitted to OCR, the report will detail the action plan the covered entity has taken to resolve compliance issues.
  • General time for an audit: notification of the covered entity prior of an audit is between 30 and 90 days. Depending upon the complexity of the organization and the auditor’s need to access materials and staff, onsite visits may take between 3 and 10 business days.
  • Audits findings review: OCR will not provide a listing of audited entities or finding of a covered entity audit which clearly identifies the audited entity. OCR aim is to determine what types of corrective action should be developed. However if an audit report indicate a serious compliance issue OCR may initiate a compliance review to address the problem.
  • Consumers benefit: concerns about HIPAA compliance identified by an audit and corrected will be used to improve the privacy and security of health records. OCR will generates best practices and technical assistance to assist covered entities and business associates in improving their efforts to keep health records safe and secure.

More about the HHS audit program ...