Information continues to trickle out regarding the status of the Office for Civil Rights’ (OCR) mandated audits of Health Insurance Portability and Accountability Act (HIPAA) covered entities. OCR’s Deputy Director for Health Information Privacy Susan McAndrew recently confirmed that the first 20 audits have been completed, although the organizations audited have not yet received their final audit reports. An additional 95 covered entities have been selected for audit, for a total of 115 audits, down from the 150 initially announced when KPMG was awarded the contract to conduct the audits on OCR’s behalf. Of the additional 95 selected for audit, 25 have been notified and are providing documentation to the auditors.  

Earlier information provided by OCR described an audit timeline of at least 60 days as follows:  

  • Notification letter sent to covered entities: one day
  • Receiving and reviewing documentation and planning the audit field
  • work: minimum of 10 days
  • On-site field work: three to 10 days
  • Draft audit report: 20–30 days
  • Covered entities review and comment on draft audit report: 10 days
  • Final audit report: 30 days  

OCR also announced that an audit protocol will be made available on its website “in the near future,” and that no business associates will be audited in the 2012 round of audits. Perhaps the decision to give business associates a pass in this round is due to the fact that Health Information Technology for Economic and Clinical Health Act rules addressing large parts of a business associate’s obligations have not yet been finalized. Notably, President Obama’s proposed fiscal 2013 budget includes a 5 percent cut for OCR spending, and OCR has not yet announced whether its audits will continue into 2013.  

What should covered entities do to prepare for the possibility of audit? Watch for the release of OCR’s audit protocol and conduct a self-audit according to its parameters promptly upon its release. If audited, prepare to respond to or rebut initial findings of the auditors before the report is finalized (see timeline outlined above). Finally, watch for the release of the first batch of final audit reports; although final audit reports will not identify the audited entities, they should provide valuable insights as to focus areas and priorities for OCR.