HHS Steps up HIPAA Audits
Now Is the Time to Review Security Policies and Procedures
By Adam H. Greene
IN JUNE 2011 the Department of Health and Human Services awarded KPMG a $9.2-million contract to create an audit pro- tocol and audit organizational compliance with the HIPAA pri- vacy and security requirements. 1 The contract calls for as many as 150 audits of covered entities and business associates before December 31, 2012. The HHS Office for Civil Rights (OCR), the agency respon- sible for administering and enforcing the privacy and security rules, has indicated major violations uncovered by the audits may lead to formal enforcement measures (such as settle- ment agreements or civil monetary penalties). 2 In preparation for these audits, covered entities and HIM professionals need
to be proactive and review organizational privacy and security
compliance programs to ensure they are effectively protecting
The HITECH Act’s Audit Program
The HITECH Act mandates that HHS conduct periodic privacy
and security audits of HIPAA covered entities and business associates. In response to this mandate, HHS recently awarded
two contracts related to the HIPAA audit program.
HHS awarded a $180,000 contract to Booz Allen Hamilton on
June 9, 2011, for “audit candidate identification.” 3 The purpose
of this contract is to identify a means for HHS to create and
maintain a comprehensive inventory of all HIPAA covered entities subject to these audits. The contract runs through October
The contract awarded to KPMG requires the contractor devel-
op an audit protocol and conduct privacy and security audits.
The audit protocol covers both the HIPAA privacy and security
rules. Audits will assess whether a covered entity has compre-
hensive policies and procedures and has implemented them
consistent with the HIPAA rules. 4 According to the contract, ev-
ery audit will include a site visit and an audit report.