Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

HHS/OCR Audits Are Almost Here – OCR Issues “Sample” Audit Letter

Posted in HIPAA Enforcement

 Contributed by David Restaino, Esq.

 Last month a posting was made on this blog series regarding action being taken by the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) relating to the fact that government audits for HIPAA compliance with privacy and security standards are finally beginning.  In this regard, OCR recently released a “sample” letter (the “Sample Letter”) that will be used as the template for the actual letters that OCR will issue to those covered entities that are selected for audit in 2012.  As OCR noted in the Sample Letter, recipients of actual letters will find that the audit process will begin within 30 to 90 calendar days from the date of the letter. 

 

OCR has hired KPMG LLP (“KPMG”), one of the “Big Four” certified public accounting firms, to conduct the audits in accordance with government auditing standards.  OCR’s release of the Sample Letter likely represents its way of communicating to all regulated facilities that KPMG’s actions will have the same force and effect as actions by OCR itself.  As a result, when KPMG requests detailed information at the beginning of and during the audit process, the covered entity under audit should assume that the KPMG request carries with it the full weight of the United States government. 

  

Release of the Sample Letter can also be viewed as OCR’s effort to prepare the regulated community for the seriousness of the upcoming audits.  Perhaps more importantly, recipients of actual letters should use the 30 to 90 calendar day period to get prepared — although facilities would be well advised to take appropriate steps to ensure compliance now rather than risk the adverse results that can occur from last-minute efforts to organize for an audit.  Those facilities that are unprepared will have a difficult time getting ready if KPMG comes knocking. 

 

(David Restaino, a partner at Fox Rothschild LLP in its Princeton, NJ office, has more than 20 years of experience representing clients in regulatory compliance and complex commercial litigation matters, including environmental and health care disputes, before multiple federal and state courts and agencies.)