Contributed by David Restaino, Esq.

Those entities subject to both the HIPAA privacy and security rules should pay close attention to recent action taken by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which will increase the frequency and depth of government audits for HIPAA/HITECH compliance over the next year. This initiative may be in direct response to some critics that OCR was not doing sufficient monitoring of compliance with HIPAA/HITECH.


Preliminary Audit Procedures. Specifically, OCR awarded a contract worth over $9 million to KPMG, LLP for administration of the audits, which will begin shortly. The audits are required by the American Recovery and Reinvestment Act of 2009 (ARRA), which states at Section 13411, “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements … comply with such requirements.”   Details are sketchy regarding the process to identify the entities that will be audited. However, this much is known:


● The first step will be creation of audit protocols, followed by an undertaking of the actual audits.

● OCR will base its decision to audit upon risk.

● Audits will not be based upon complaints or actual reported privacy or security breaches. 

● KPMG will assist OCR in establishing the program to audit covered entities and business associates, and their compliance with the privacy and security rules.

● HHS staff will guide KPMG’s conduct during the audits.

● The audits will include site visits, interviews with leadership, documentation, an examination of operations, and an assessment of the consistency with which process is married to policy.

● Each audit will be followed by a report that will, among other things, address compliance efforts and corrective actions taken. 


Who Will Be Audited?  HHS reports that every covered entity and business associate is eligible to be audited. The initial round of recipients is expected to provide a broad assessment of a complex and diverse health care industry. Thus, the audit process is designed to have OCR audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered. OCR has also made it explicitly clear that covered entities must fully cooperate with the auditors – as obligated under the HIPAA “enforcement rule.” Finally, HHS reports that business associates will be included in future audits.


What can covered entities do now to be ready? For starters, they can make sure that all policies and procedures are in place now. For example, the HHS website states that covered entities will have only ten (10) days to produce documents; this is not much time if policies and procedures are not already in good order. 


Based on the above, the best way to get prepared is to make sure that compliance protocols are in place, and being followed, today. Stated differently, all covered entities and business associates should assess their compliance efforts, ensure that timely corrective actions are taken when necessary, and remain on their guard.  Documentation of the proactive assessment and corrective measures should also assist in demonstrating that the compliance efforts are effective.


(David Restaino, a partner at Fox Rothschild LLP in its Princeton, NJ office, has more than 20 years of experience representing clients in regulatory compliance and complex commercial litigation matters, including environmental and health care disputes, before multiple federal and state courts and agencies.)