While the HITECH Act refers to audits of both covered entities
and business associates, OCR has indicated that the primary
focus will be on covered entities. 7 The contract calls for the protocol to reflect the specific requirements that apply to each type
of covered entity. The contract requires the protocol include the
flexibility to evaluate a wide variety of entities that have widely
OCR has not yet indicated whether the audit protocol will be
Major Violations May Lead to Enforcement
One of the biggest questions is whether these audits will be focused on gauging the state of compliance or whether HHS will
use them primarily as a tool to penalize covered entities. Early
indications are that OCR will be taking the former approach.
Susan McAndrew, the deputy director for privacy at OCR, has
indicated that the purpose of the audits will be to measure compliance in the absence of a precipitating incident and as a tool
for educating the public. 8 If an entity is audited and potential
violations are found, the audited entity should not assume that
it will need to enter into a settlement agreement or that a civil
monetary penalty will be imposed.
Nevertheless, while the focus of the audits will be prevention
and education, McAndrew has also stated that the discovery of
major violations may lead to formal enforcement. Auditors will
likely refer discoveries of “serious noncompliance” to OCR for
investigation and enforcement.
Payment to KPMG will not be based on whether audits result
in resolution agreement payments or civil money penalties.
The Audit Program’s Future
The audit contract is through December 31, 2012, so the audits
will occur over a relatively short period of time. Once the audit protocol is completed, the contractor will conduct approximately 20 audits. After these initial audits, the contractor will
receive feedback from HHS and the audit teams. It will then revise the protocol to address any concerns, implement improvements, and conduct the remainder of the audits.
McAndrew has indicated that development of the protocol is
expected to occur through October 2011. The protocol will be
tested in the initial set of audits through the end of January 2012,
and the remainder of the audits will occur through December
Since the audit program is being funded through the HITECH
Act, it is not clear whether the audit program will continue after HITECH Act funds expire in 2012. While budgets around the
federal government are expected to be tight, the HITECH Act
authorizes OCR to retain settlement and civil monetary penalty
funds, and such funds could be used to conduct future audits.
There are numerous indications that if the audit program is
considered successful, OCR will continue past 2012. The Booz
Allen Hamilton contract for identifying audit candidates con-
tinues through October 2012, suggesting that the results will
be used in future audits. The KPMG contract provides that the
audit protocol will consist of modules that could lead to more
issue-focused audits in the future.
The chances of being selected for audit are low; nevertheless
some covered entities will find themselves audited. In preparation for the possibility of an audit, HIM professionals should
work with colleagues to assess their privacy and security programs, including breach detection and notification.
Covered entities may wish to focus on checking that policies
and procedures are up to date and ensure the workforce has
been appropriately trained, especially newer staff. Covered entities also may wish to do their own mock site visits to ensure
that policies have been implemented among staff and that they
are effective in protecting privacy. Some seemingly good privacy policies fail in the face of practical realities, such as human
error, limited staff time, and limited resources.
Organizations should focus resources on eliminating potential major violations, such as any lack of safeguards for large
repositories of information or systematic failures that preclude
individuals from exercising their privacy rights. While it may
be impossible to achieve a perfect, fully compliant, audit-proof
privacy and security program, now is a good time for HIM professionals to tackle some of the bigger issues that often lead to
1. Department of Health and Human Services (HHS). HHS
Task Order HHSP233201100252G, Contract GS-3F-8127H.
2. Anderson, Howard. “McAndrew Explains HIPAA Audits.”
Healthcare Info Security, July 15, 2011. www.healthcarein-
3. HHS. HHS Task Order HHSP23337007T. Contract HHSP-
4. Audit Contract, 6.
5. Audit Contract, 10–11.
6. Anderson, Howard. “McAndrew Explains HIPAA Audits.”
8. Plank, Kendra Casey. “HIPAA Audits More Preventative
Than Punitive, HHS Official Says.” BNA Health IT Law and
Industry Report, August 22, 2011. www.bna.com/hipaa-
9. Greene, Adam, Cliff Baker, and Susan McAndrew. “The
Upcoming OCR HIPAA Audit Program—What to Expect
and How to Prepare.” Web conference, July 28, 2011. www.
Adam H. Greene ( email@example.com) is a partner at Davis Wright Tre-maine LLP.