HIPAA Audits Have Begun

HIPAA Audits Have Begun

Published: January 20th, 2012


There are few words in the English language that evoke such bone-chilling, stomach-churning fear as the five-letter, two-syllable word “audit.” Even the most law-abiding, receipt-hoarding, fastidious, record-keeping number cruncher trembles when, upon opening the envelope, he stares fixedly on the most ominous of words. It is usually the IRS that elicits such visions of impending doom, but now health care providers are squirming as the new HIPAA compliance audit program has begun.

What are the audits all about? The HITECH Act, part of the economic stimulus package passed in 2009, mandated the audit program to improve compliance with HIPAA’s privacy and security rules. Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced the program.

This year 150 organizations will be selected for audits. The first 20 letters were mailed on December 1st. It is the intention of OCR to select covered entities that broadly represent health care providers, health plans, and health care clearinghouses. In the beginning phase, OCR is auditing eight health plans, two claims clearinghouses, and 10 provider organizations, including three hospitals, three physicians’ offices, a laboratory, dental office, nursing facility, and pharmacy.

The audit process begins with a letter notifying the facility of their selection. The organization then has 10 days to provide a long list of required information, including copies of its HIPAA privacy and security compliance policies, as well as its plan for complying with the HIPAA breach notification rule. The auditors will also want to see documented protocols for administrative, physical, and technical safeguards, evidence of a privacy and security governance committee, training materials, and evidence that training has taken place. Encryption compliance is high on the interest list. An average audit can have between three and five auditors spending up to five days at a facility, but larger organizations can expect a visit of up to 10 days. At the conclusion of the visit, the auditors will file a report, and the organization will have 10 business days to review and file a response.

The new head of the OCR, Leon Rodriguez, has said that the goal of the program is to identify opportunities for improvement and to help implement those improvements, rather than to look for infractions, however, he also stated, “I think we know that there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties.” He added, “But that’s really not the primary goal of the audit program.”

The consulting firm of KPMG has been hired to conduct the audits. After the initial 20 have been completed, KPMG will work with OCR to “revisit the audit protocol” and make adjustments. The remaining 130 audits are expected to be conducted in the second half of 2012.

The best way to prepare for a potential audit is to ensure that your practice has met with all the rules required by HIPAA and HITECH. MedSafe/TCS can address all your compliance needs. Click on our website for more information on all our services.