On Nov. 8, 2011, the U.S. Department of Health & Human Services (HHS) announced that audits to assess compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will begin in November of 2011.

The audits, which are required under the Health Information Technology for Economic and Clinical Health (HITECH) Act, will be performed by the public accounting firm KPMG LLP.  According to HHS, the pilot audit program will involve audits of 150 covered entities beginning approximately November 2011 and concluding by December 2012.  Business associates will not be included in this pilot audit program but will be included in future audits. 

The pilot audit program will encompass a three-step process. The first step of developing the audit protocols has been completed. The second step will involve conducting a limited number of initial audits to test the audit protocols. The results of the initial audits will be reviewed to determine whether there will be an adjustment of any of the audit protocols. The third and final step will be conducting the remaining audits using the revised audit protocols.

HHS reports that the Office for Civil Rights (“OCR”), the agency that enforces HIPAA, will select a wide-range of types and sizes of covered entities for the audits.  Individual providers, organizational providers, health plans of all sizes and functions, and health care clearinghouses will all be considered for an audit.  The audit will cover both the privacy and security rules under HIPAA.

According to HHS, a covered entity selected for an audit will receive a letter approximately 30 to 90 days prior to the audit. The letter will inform the covered entity of the upcoming audit, explain the audit process, and request specific information and documents such as the covered entity’s written HIPAA policies.  Covered entities will be expected to provide the information within 10 business days of receiving the request.

Following notification, the auditor will conduct the next phase of the audit on the physical site of the covered entity.  OCR anticipates that the onsite visits may take between 3 and 10 business days to complete, depending on the covered entity’s size and complexity. Approximately 20 to 30 days after the onsite visit, the auditor will provide the covered entity with a draft report of the audit results.  The covered entity will have 10 business days to respond to the draft audit report.  Approximately 30 days after the auditor receives the covered entity’s response, the auditor will submit its final audit report to OCR.

OCR will review all final audit reports.  According to HHS, the audits are primarily meant to improve compliance, so that OCR will use the audit reports to determine what type of technical assistance it should develop and what type of corrective action would be most effective. However, covered entities should expect to be asked to take corrective action if there are negative findings as a result of the audit.  In addition, if an audit report indicates a compliance issue that OCR considers to be serious, OCR may open a separate investigation to address the issue through a potential enforcement action.