HIPAA Audit Procedures to Include Site Visits

The Health Information Technology for Economic and Clinical Health Act (“HITECH”) requires the Office of Civil Rights (“OCR”) to conduct periodic audits of covered entities in connection with complying with the privacy and security requirements set forth in Health Insurance Portability and Accountability Act (“HIPAA”). In June, the OCR awarded KPMG, LLP (the “Contractor”) a $9.2 million contract to administer HIPAA audits. During the first phase of audits, the OCR plans to visit 150 covered entities.

According to the Federal Business Opportunities website, after developing the audit protocol, the Contractor must meet the entities and perform the following audit activities:

• Site Visits – Site visits include interviewing with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management director, etc.), examining physical features and operations, evaluating the consistency of process to policy, and observing compliance with regulatory requirements;
• Audit Report – Submitting an audit report after each site visit consisting of the following:

o A timeline and methodology of the audit, best practices, raw data collection materials (e.g., completed checklists and interview notes), a certification indicating the audit is complete;
o Specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan;
o Recommendations to the contracting officer’s technical representative (“COTR”) regarding continued need for corrective action, if any, and description of future oversight recommendations; and
o A final report including, at a minimum:

– Identification and description of the audited entity–full name, address, EIN and contact person;
– Methods used to conduct the audit; and
– For each finding:

• Condition: The defect or non-compliant status observed, and evidence of each;
• Criteria: A clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules;
• Cause: The reason that the condition exists, along with identification of supporting documentation used;
• Effect: The risk or non-compliant status that results from the finding;
• Recommendations for addressing each finding;
• Entity corrective actions taken, if any;
• Acknowledgement of any best practice(s) or success(es); and
• Overall conclusion paragraph.

For more information regarding HIPAA and compliance, please contact Abby Pendleton, Esq. or Jessica L. Gustafson, Esq. at (248) 996-8510 or (212) 734-0128 or visit the HLP website.

Contact Information