HIPAA Audit Tests Start This Month150 Compliance Audits Planned by End of 2012
The Department of Health and Human Services' Office for Civil Rights has posted a fact sheet about the audit program that summarizes the details. The program to audit compliance with the Health Insurance Portability and Accountability Act's privacy, security and breach notification rules was mandated by the HITECH Act. OCR hired the consulting firm KPMG to conduct up to 150 audits by December 2012. The fact sheet confirms many details already revealed by OCR officials.
In an earlier interview, Susan McAndrew, a deputy director at OCR, estimated that about 20 test audits would be conducted in the first round.
Focus on Covered Entities
The audit program for 2012 will focus on HIPAA covered entities, such as hospitals, clinics and health plans, with business associates to be included in future audits. "Selections in the initial round will be designed to provide a broad assessment of a complex and diverse healthcare industry," according to the fact sheet. "OCR will audit as wide a range of types and sizes of covered entities as possible."
OCR stresses that the audits are "primarily a compliance improvement activity." Nevertheless, its fact sheet notes that an audit that indicates a serious compliance issue could trigger a compliance review, which could lead to sanctions.
Leon Rodriguez, the new OCR director, said in an earlier interview: "Our first objective is not to go out there and start banging [organizations] with penalties; it's really to take a good look at them, find out where their opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action."
The fact sheet notes: "The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspect of the HIPPA rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective."
OCR will not post a list of audited organizations nor the findings of an individual audit that clearly identifies the audited entity. But it plans to "share best practices gleaned through the audit process" as well as offer guidance tied to "observed compliance challenges."
Every audit will involve an onsite visit. OCR expects to give organizations 30 to 90 days advance written notice of an auditor's visit. The visits will take three to 10 business days. Those selected for an audit will be asked to provide documentation of their privacy and security compliance visits.
Auditors will share a draft report describing their findings. "Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified," the fact sheet states. "The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity."
As reported earlier, OCR's major health information breach tally shows KPMG, as a business associate, was involved in two related breach incidents last year, affecting a total of about 4,600 individuals. The incidents, stemming from the loss of a portable electronic device, occurred May 10, 2010, and affected patients at Saint Barnabas Medical Center and Newark Beth Israel Medical Center. The two New Jersey hospitals are part of Barnabas Health, formerly known as Saint Barnabas Health Care System.
In August, McAndrew provided HealthcareInfoSecurity with a statement on the auditor selection process, declining to comment on the breach incidents involving KPMG:
"The award of the HIPAA audit contract was the result of HHS' usual rigorous, competitive process. Specific questions regarding the contract award are procurement-sensitive. OCR worked with the HHS Program Support Center through a GSA [General Services Administration] competitive procurement process to select KPMG to conduct the pilot HIPAA privacy and security audits on behalf of HHS.
"This process involved the posting of a solicitation describing the work to be conducted and required qualifications. PSC organized a panel to review and rank all technical proposals received and offer or qualifications by predetermined evaluation criteria. Evaluation criteria in the solicitation included responsiveness to the audit design requirements in the HHS statement of work, as well as past performance on other compliance audit programs. Negotiations were conducted, and an offer was made."