HIPAA Privacy & Security Audit Program Begins – Are You Ready?

March 27, 2012

The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires the periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, the Office of Civil Rights (OCR) is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase began November 2011 and conclude by December 2012.

Audits Conducted by Private Contractor

The OCR has engaged accounting firm KPMG LLP to conduct the audits. Entities that are being audited will be required to respond to KPMG document requests within 10 business days of receipt and will likely have 30 to 90 days’ notice of the on-site visit by KPMG. The on-site visit will last three to 10 business days depending on the complexity of the organization. KPMG will provide its draft report to the audited entity for review and comment, give the entity 10 business days for that review and then submit its final report to the OCR.

Who will be audited?

Every covered entity and business associate is eligible for an audit. Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit (This includes physician practices). Business Associates will be included in future audits.

The OCR says it will not post a list of the audited entities or findings from an audit that would identify the audited entity clearly. Selected entities will receive a letter from the OCR along with a document request from the contractor performing the audits.

How will the audit program work?

The privacy and security performance audit process will include generally familiar audit mechanisms. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity.


While OCR will only select a very small percentage of covered entities to be audited under the Pilot Audit Program, the Pilot Audit Program is representative of OCR’s stepped up efforts to enforce and ensure compliance with the Standards. Accordingly, it would be prudent for covered entities to revisit their policies and procedures for compliance with the Standards and ensure that they have completed and documented at least one security risk assessment consistent with the HIPAA security standards.

Reed Tinsley, CPA is a Houston-based CPA, Certified Valuation Analyst, and Certified Healthcare Business Consultant. He works closely with physicians, medical groups, and other healthcare entities with managed care contracting issues, operational and financial management, strategic planning, and growth strategies. His entire practice is concentrated in the health care industry. Please visit www.rtacpa.com

Previous post:

Next post: