This month, HHS' Office for Civil Rights will start auditing covered entities for compliance with HIPAA privacy, security and data breach notification rules, Health Data Management reports (Goedert, Health Data Management, 11/8).
This summer, OCR awarded a $9.2 million contract to consulting firm KPMG to conduct the audit program. OCR also awarded a contract worth about $180,000 to Booz Allen Hamilton to help identify candidates for the audits (Conn, Modern Healthcare, 11/9).
First Round of Audits
During an initial round of 20 audits, OCR will assess covered entities of different sizes and functions. Future audits will target business associates.
OCR plans to send written notices to the entities selected for the audits, explaining the process and requesting initial documents and data. Selected entities will be asked to provide the requested information within 10 days.
OCR officials then will conduct a site visit to each covered entity between 30 and 90 days after notification.
Goals of Audits
OCR said it intends to use the results of the 20 initial audits to make decisions about how to conduct future audits.
In addition, the office plans to use KPMG's audit reports to determine what type of technical assistance the covered entities might need and which corrective actions would be most effective to boost HIPAA compliance (Health Data Management, 11/8).
The office plans to conduct as many as 150 audits by the end of 2012. Additional information about the HIPAA audits is available on OCR's website (Modern Healthcare, 11/9).