KPMG Wins Contract; 150 On-Site Audits Anticipated
The long-overdue HITECH-Act mandated HIPAA compliance audit program will begin soon, with about 150 on-site audits of covered entities and business associates anticipated by the end of 2012.
The Department of Health and Human Services has awarded a $9.2 million contract to the consulting firm KPMG to develop the protocols and conduct the HIPAA audits. “Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, privacy officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy; and observation of compliance with regulatory requirements.”
Every site visit will result in a detailed audit report. The HHS Office for Civil Rights will oversee the audit program.
Time to Prepare
Adam Greene, formerly of OCR and now a partner at the Washington law firm Davis Wright Tremaine LLP, notes, “In light of the large numbers of HIPAA covered entities and business associates, the likelihood of being audited will be small. Nevertheless, now is a good time for covered entities and business associates to review their HIPAA privacy and security programs, ensure that their documentation is up to date and assess whether their programs are effectively protecting protected health information.”
Greene notes that because the program is funded through the HITECH Act, “It is not clear whether the audit program will continue after HITECH Act funds expire in 2012.”
The KPMG contract announcement “raises as many questions as it answers,” Greene says. “We do not know the scope of the audits, such as whether KPMG will review general compliance with the privacy and security rules or whether the audits will be focused on specific issues.” And although the contract says entities varying in size and scope will be audited, “we do not know how entities will be selected for audit,” Greene adds. “Most importantly, we do not know whether the audit program will be used as an enforcement tool (leading to resolution agreements or civil monetary penalties), or whether it will be used strictly as an educational tool to improve general compliance.”
Greene notes that HHS also awarded a $180,000 contract to Booz Allen Hamilton for “audit candidate identification.” He adds, “While limited information has been released about this contract, it is presumably for the purpose of identifying the universe of covered entities and business associates. Especially with respect to business associates, it may prove impossible for Booz Allen to generate a truly comprehensive list of candidates.”