In the growing world of RAC audits, Voluntary Disclosure Protocols, IRS Form 990 disclosures, “Never Events” and HIPAA breach notifications, there is a new kid on the block in the area of federal audit and oversight for health care providers, health plans and their business associates under the health information privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  During the next 18 months, HIPAA privacy and security audits mandated under the American Recovery and Reinvestment Act of 2009 (“ARRA”) will be conducted by the Office of Civil Rights (“OCR”) through an audit contractor, it was announced on  June 10, 2011.  The Department of Health and Human Services (“HHS”) awarded a $9.5 million contract to the KPMG accounting firm to “assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by ARRA.”  KPMG was awarded the contract one day after another contract had been awarded to Booz Allen Hamilton to conduct the “audit candidate identification” intended to identify the universe of covered entities and business associates subject to potential audit under this program.

Under Section 13411 of the Health Information Technology for Economic and Clinical Health Act, a part of ARRA (“HITECH”), HHS, through its Office of Civil Rights, is directed to conduct such audits for purposes of determining compliance with the privacy and security regulations under HIPAA.  Until now, the OCR has focused primarily on the investigation of alleged privacy and security violations in response to complaints, and has conducted a limited number of compliance reviews of covered entities, typically in response to publicized incidents.  The new audits will expand OCR’s activities in compliance enforcement and will raise the stakes for entities that have failed to appropriately implement HIPAA privacy and security safeguards.

How will the audits be conducted?

The audit program will consist of development of an audit protocol by KPMG, followed by site visits by KPMG to 150 covered entities and business associates.  The size and types of entities selected for audited will vary, and the criteria for selection have not been disclosed at this time.  According to the HHS contract synopsis, site visits conducted as part of every audit must include interviews with leadership, such as the  Chief Information Officer, Privacy Officer, legal counsel, health information management and/or medical records director; examination of physical features and operations; consistency of process to policy; and observation of compliance with regulatory requirements.

Although the exact details remain to be finalized, it would appear that the results of an audit will be communicated in a manner similar to accreditation surveys with which many health care providers are familiar, principally consisting of an initial audit report containing the auditor’s findings and a required plan of correction for any deficiencies, followed by a final report.  The auditor’s report must include the following:

  • A timeline and methodology of the audit;
  • Best practices noted;
  • Raw data collection materials, such as completed checklists and interview notes;
  • A certification indicating the audit is complete;
  • Specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan;
  • Recommendations to the COTR (Contracting Officers’ Technical Representative) regarding continued need for corrective action, if any; and
  • A description of future oversight recommendations.

The final audit report must include the following:

  • Identification and description of the audited entity: Include, full name, address, EIN, contact person;
  • Methods used to conduct the audit;
  • For each finding:
    • Condition: the defect or noncompliant status observed, and evidence of each;
    • Criteria: a clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation;
    • Cause: The reason that the condition exists, along with identification of supporting documentation used;
    • Effect: the risk or noncompliant status that results from the finding;
    • Recommendations for addressing each finding; and
    • Entity corrective actions taken, if any;
    • Acknowledgement of any best practice(s) or success(es); and
    • Overall conclusion paragraph

How will this impact my organization?

Given the very large number of covered entities and even larger number of business associates across the country, the chances of a particular provider, health plan or business associate being one of the 150 selected for audit will be relatively small.   Nevertheless, covered entities and business associates should begin to prepare by reviewing their current level of HIPAA compliance in anticipation of these government audits.   Covered entities and business associates should undertake a fairly formal review of their privacy and security programs for personal health information and data by (a) reviewing  whether or not the required standards and implementation specifications under the HIPAA privacy and security regulations are appropriately addressed in such policies and procedures, (b) verifying that all required documentation is being maintained, and (c) assessing whether, in a practical and everyday manner, the privacy and security of the entity’s protected health information (“PHI”) is being effectively protected by the program.   Covered entities and business associates should also assess the effectiveness of their ability to detect and provide required notifications in the event of a security incident or breach of unsecured PHI, in accordance with the security and breach notification regulations under HIPAA.  Essentially, now is a good time to invest internal resources toward answering the question, “Is our HIPAA compliance program effectively working?”

What are the issues that are raised by this development?

A few questions and issues are raised by the recent announcement of this audit program. For example, it is not clear how entities will be selected for audit, as there is no specific selection criteria listed in the contract synopsis issued by OCR.  Further, it is unclear whether an audit could subject the target entity to potential enforcement, such as civil penalties or a consent agreement, in the event significant HIPAA violations are discovered.  Further details on the scope and content of the audits may become available after KPMG has completed the first phase of its engagement, the preparation of the audit protocol.


Although small in number relative to the large number of covered entities and business associates subject to HIPAA’s privacy and security regulations, the 150 HIPAA audits to be conducted by OCR through its contractor in the coming 18 months are just one more reason that covered entities and business associates should proactively establish a firm footing in privacy and security compliance related to the PHI they create, receive, use and disclose as part of their health care and/or health plan related activities. These entities should review and update their data security risk analyses to determine whether changes in operations, processes or technologies have created gaps in their HIPAA compliance programs since the privacy and security regulations first took effect over seven years ago.  Furthermore, policies, procedures and training materials should be reviewed and updated to reflect new technologies, and to incorporate changes brought about by ARRA and HITECH, such as breach notification, business associate security standards and the soon-to-be-modified provisions of the HIPAA privacy and security regulations.  While no compliance program is entirely perfect, covered entities and business associates should seriously consider the negative impact on their financial condition and reputation in the community, should they fail to pass muster under the new HIPAA audit program, or if a serious infraction of the recently updated HIPAA and HITECH requirements were to occur.