The Security Scrutinizer with Howard Anderson

A Look at HIPAA Auditor Contract

More Details on What to Expect from Compliance Audits

Adam Greene, a partner at the law firm Davis Wright Tremaine LLP, in a recent blog provided a link to the contract that he obtained through a Freedom of Information Act request. Greene formerly was an official at the HHS Office for Civil Rights, the unit that hired KPMG and will oversee the audit program.

HIPAA Audit Details

The KPMG contract, Greene noted, requires the auditors to inform the organizations they're scrutinizing that "OCR may initiate further compliance enforcement action based on the content and findings of the audit, and that corrective action that cures identified deficiencies may serve to reduce or eliminate potential civil monetary penalties."

The contract calls for conducting 150 compliance audits by December 2012. Each audit will include a site visit. The contract specifies audit teams will consist of three to five auditors, except that teams of two to three may be used for audits of smaller organizations, Greene notes. The contract states that site visits will typically last two to five days, depending on size and complexity.

Site visits will include interviews with leadership, such as the CIO, privacy officer, legal counsel and medical records director. 

Site visits will include interviews with leadership, such as the CIO, privacy officer, legal counsel and health information management/medical records director. They will also include examination of physical features and operations, consistency of process to policy and observation of compliance with regulatory requirements, according to the contract.

In a recent interview with HealthcareInfoSecurity, Susan McAndrew, deputy director of privacy at OCR, explained that the audit program, mandated by the HITECH Act, would be launched in several phases. The first step will be the creation of a comprehensive set of protocols for how audits will be conducted and what measures will be used to determine compliance. The second step will be to conduct about 20 test audits to make sure the protocols are effective, she saio. After that, the formal program for on-site audits will continue through the end of 2012. Then the audit program will be evaluated.

The contract requires KPMG to develop protocols that cover the entire HIPAA privacy and security rules, but that are designed so that modules of the protocol can be used for audits targeted to areas of high risk and frequent noncompliance. The audit protocol, under the contract, should provide for comprehensive assessment of policies, procedures, practices, systems, operations and infrastructure.

But McAndrew noted in the interview: "At least initially, because we're very interested in assuring that the protocols are complete and provide comprehensive feedback to us on the degree of compliance, we will be focusing primarily on more comprehensive aspects of compliance. That's not to say that we won't find a capacity within this pilot period for running a few audits that are more issue-directed."

She also indicated that audits initially will be focused on covered entities, rather than business associates.

What Happens Next?

In his blog, Greene speculated about what will happen after the audit program ends in 2012 and OCR evaluates the results. "While budgets around D.C. may be tight in the coming years, and the HITECH Act funds for this program dry up at the end of 2012, the HITECH Act also provides that OCR retains any settlement amounts or penalties resulting from privacy and security enforcement," he noted. "The continuation of this audit program may be a prime candidate for the allocation of such funds."

Meanwhile, the time has come to prepare for a potential audit. Greene and others are advising healthcare organizations to take several important steps, including conducting a thorough self-assessment (see: HIPAA Audits: A Preparation Checklist).

And it's worth taking a look at KPMG's contract to get some perspective on what the government is expecting from its auditing partner.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.