Posted by: RedaChouffani
Audit, Data privacy and security, HHS OCR, HIPAA, HIPAA audits, Office of Civil Rights
The Department of Health and Human Services and the Office for Civil Righs (OCR) announced that they will begin the process of auditing covered entities and their business associates to ensure their compliance with HIPAA Privacy and Security Rules and Breach Notification standards. The audits will initially begin as part of a pilot program starting with 150 covered entities from November 2011 through December 2012.
The current outline of the published audit details is as follows according to the HHS web site:
The privacy and security performance audit process will include generally familiar audit mechanisms. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity.
The group responsible for the audits is KPMG, who was awarded the contract for the amount of just under 9 million dollars.This group has previously been involved in audits for the IRS and other federal entities.While the audit outcomes will not be made public, the audited entities will receive a written report with the findings.
These audits seem to provide a hint in which HHS may be more serious about enforcing HIPAA processes than ever before.This is also yet another reminder that HIPAA compliance should continue to be a top priority for health care organizations and a topic that should definitely be included in enterprise level planning for 2012 and beyond.