An official at HHS' Office for Civil Rights says the agency has not decided whether to include business associates in its HIPAA-compliance audit plans, HealthLeaders Media reports.
Contract for Audit Planning
Last month, OCR awarded a $9.2 million contract to consulting firm KPMG to develop protocols to support HIPAA audits. The contract calls for as many as 150 audits before December 31, 2012.
Susan McAndrew -- OCR's deputy director of health information privacy -- said the audit program will be implemented in three stages:
- OCR will collaborate with KPMG to develop auditing procedures;
- OCR and KPMG then will conduct an initial round of audits to test the program; and
- If the tests go well, OCR will conduct a full range of onsite audits and an evaluation process.
However, McAndrew said, "OCR has not yet determined whether it will audit business associates in addition to covered entities during the audits that are anticipated to take place in 2012."
Data Breaches Involving Business Associates
According to data on OCR's website, there have been 292 breaches affecting 500 or more individuals since September 2009. Business associates have been involved in 57, or about 20%, of those breaches.
In addition, business associates were involved in the two data breaches that affected the largest number of people, according to HealthLeaders Media (Nicastro, HealthLeaders Media, 8/5).