The acronym “HIPAA” has become a household name since the enactment of the Health Information Portability and Accountability Act of 1996, which, among other things, established rules for protecting and securing patients’ health information. In fact, it is not uncommon to hear about breaches of patient information costing healthcare providers and suppliers six and seven figure civil monetary penalties or settlements. Typically, such settlements and penalties have arisen out of patient complaints that the privacy of their protected health information (PHI) has been compromised. However, beginning November 2011, patient complaints will not be the only way in which the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) will learn about non-compliant entities.
Section 13411 of the American Recovery and Reinvestment Act of 2009, which established the Health Information Technology for Economic and Clinical Health (HITECH) Act, requires the Secretary of HHS to “provide for periodic audits to ensure that covered entities and business associates” comply with the requirements of the HIPAA Privacy Rule, Security Rule and Breach Notification Rule (collectively, the HIPAA Rules). To achieve this end, the OCR has engaged, under a $9.2 million contract, KPMG, LLC (KPMG) to conduct performance audits of covered entities in the form of a pilot audit program. The pilot will include up to 150 audits of covered entities to ensure compliance with HIPPA. The pilot program will conclude in December of this year.
Who Will be Audited
During this pilot program, covered entities of all sizes will be audited. According to the OCR, it “will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit.” Business associates will not be audited during the pilot, but will be included in future audits. A covered entity is defined as (i) a health plan, (ii) a healthcare clearinghouse, or (iii) a healthcare provider transmitting any health information in electronic form. As such, anesthesiologists, anesthesia groups, CRNAs, ambulatory surgery centers, physician offices and clinics electronically transmitting any health information are eligible to be audited by the OCR. auditing app
What Audited Entities Can Expect
Although the OCR will begin with roughly twenty (20) audits to test and finalize the audit protocols, audited entities can expect the HIPAA audits to include a request for documentation, an on-site field visit and a report. Initially, the OCR is using the audit process to detect compliance with the HIPAA Rules and identify best practices, and to discover compliance risks and vulnerabilities.
Step 1: Notification Letter
The OCR will send entities written notification letters. Included in the notification letter will be a request for documentation evidencing their HIPAA privacy and security compliance efforts. The OCR provided a sample notification letter on its website.1 Included in the sample letter is the following language briefly advising the audited covered entity of what to expect:
In the attached letter, KPMG LLP requests certain information be provided by you in order to facilitate the audit process. Additionally, they provide contact information for the audit firm personnel responsible for conducting the audit. Please recognize that KPMG LLP is requesting and reviewing these documents solely as a contractor to OCR and on its behalf and pursuant to its audit authority. This letter serves to notify you that the audit shall begin within the next 30 to 90 calendar days from the date of this letter. The results of the audit firm’s work, including your management’s written response to any reportable findings will be presented in a final report to OCR.
Audited entities will have ten (10) business days in which to provide the requested documentation.
Step 2: Receipt and Review of Documentation and Planning Field Work
After KPMG receives the requested documentation from the audited entities, it will review the documentation and begin planning the audit field work-the on-site visit to the audited entity. Following KPMG’s review, audited entities should expect KPMG to notify them within thirty (30) to ninety (90) days prior to the on-site visit