The United States Department of Health and Human Services (“HHS”) recently posted on its website a formal announcement about a new audit program under the Health Insurance Portability and Accountability Act (“HIPAA”) that it was launching. The audits will be run under the Office for Civil Rights (“OCR”), which is the division within HHS that is responsible for enforcing HIPAA’s Privacy and Security Rules. According to the announcement on the HHS website, OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, identify best practices and discover previously unknown risks and vulnerabilities. OCR is expected to share publicly best practices developed through the audit process.
HHS has entered into a contract with KPMG LLP, under which KPMG will be working with the HHS to conduct the audits. Under the program, the OCR expects to conduct up to 150 audits. The audits are commencing in November, 2011 and are expected to run through December, 2012. This initial group of audits is being referred to as the pilot phase.
The audits reflect a beefing up of the HHS oversight role under HIPAA. To date, HHS has limited itself to dealing with complaints it has received. In addition, the agency has sponsored various educational program for affected parties. Proving there still are some among us who favor a more activist federal government (and thus are not likely big fans of either Rick Perry or Ron Paul), some have criticized the HHS for doing too little to enforce the protections under HIPAA. This audit program seems to have been designed to respond to this concern.
HHS will audit only covered entities during the pilot phase. HHS indicates that it intends to audit a wide a range of covered entities, including covered individual and organizational providers of health services, health plans of all sizes and health care clearinghouses. Business associates will be included in later audit programs.
Entities selected for an audit will be notified by OCR. These entities will be asked to provide documentation concerning their privacy and security compliance efforts. Every audit during the pilot phase will include a site visit (including interviews with key personnel and a review of processes to measure compliance) and will conclude with the preparation of an audit report. The auditors are expected to allow the audited entities an opportunity to review a draft audit report before completion. The final report submitted to OCR will review the steps the audited entity has taken to resolve any compliance issues identified by the audit, and also will describe any best practices the entity has developed.
In turn, representatives of the HHS will review the completed audit reports and will use the findings in those reports for developing future guidance and corrective programs. The HHS has reserved the right to initiate a compliance review against any audited entity in the event that an audit report indicates a serious compliance issue.
As noted, HHS plans to perform only a very limited number of audits in the pilot phase. Thus, only a small number of covered entities actually will face an audit at this time. However, more audits and other corrective procedures are coming. Accordingly, all covered entities and business associates (who later will be the targets of similar audits) are advised to take this opportunity to review and upgrade where necessary their compliance programs under HIPAA and to monitor closely communications from the HHS related to the audits conducted in this pilot phase. At risk is the imposition of civil penalties (generally, a fine from $100 to $50,000 or more per violation with a $1.5 million maximum) and even criminal sanctions (generally a sentence of one year in prison and up to a $50,000 fine, and these sanctions can increase with a finding of fraud or intentional harm).