Published on: | by

HIPAA Audit Procedures to Include Site Visits

The Health Information Technology for Economic and Clinical Health Act (“HITECH”) requires the Office of Civil Rights (“OCR”) to conduct periodic audits of covered entities in connection with complying with the privacy and security requirements set forth in Health Insurance Portability and Accountability Act (“HIPAA”). In June, the OCR awarded KPMG, LLP (the “Contractor”) a $9.2 million contract to administer HIPAA audits. During the first phase of audits, the OCR plans to visit 150 covered entities.

According to the Federal Business Opportunities website, after developing the audit protocol, the Contractor must meet the entities and perform the following audit activities:

• Site Visits – Site visits include interviewing with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management director, etc.), examining physical features and operations, evaluating the consistency of process to policy, and observing compliance with regulatory requirements;
• Audit Report – Submitting an audit report after each site visit consisting of the following:

o A timeline and methodology of the audit, best practices, raw data collection materials (e.g., completed checklists and interview notes), a certification indicating the audit is complete;
o Specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan;
o Recommendations to the contracting officer’s technical representative (“COTR”) regarding continued need for corrective action, if any, and description of future oversight recommendations; and
o A final report including, at a minimum:

– Identification and description of the audited entity–full name, address, EIN and contact person;
– Methods used to conduct the audit; and
– For each finding:

• Condition: The defect or non-compliant status observed, and evidence of each;
• Criteria: A clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules;
• Cause: The reason that the condition exists, along with identification of supporting documentation used;
• Effect: The risk or non-compliant status that results from the finding;
• Recommendations for addressing each finding;
• Entity corrective actions taken, if any;
• Acknowledgement of any best practice(s) or success(es); and
• Overall conclusion paragraph.


For more information regarding HIPAA and compliance, please contact Abby Pendleton, Esq. or Jessica L. Gustafson, Esq. at (248) 996-8510 or (212) 734-0128 or visit the HLP website.

Contact Information
Detroit
32000 Northwestern Hwy #240
Farmington Hills, MI 48334
P (248) 996-8510 F (248) 996-8525

The Health Law Partners, P.C.

New York City
15 W 38th St 4th Floor #735
New York, NY 10018
P (212) 734-0128 F (917) 210-2952

The Dresevic, Iwrey, Kalmowitz & Pendleton Law Group A Division of The Health Law Partners, P.C.

This is an attorney advertisement.

We serve the following localities: Alpena County, Alpena, Bay County, Auburn, Bay City, Essexville, Pinconning, Berrien County, Benton Harbor, Berrien Springs, Buchanan, Coloma, Niles, St. Joseph, Stevensville, Watervliet, Calhoun County, Albion, Battle Creek, Marshall, Charlevoix County, Boyne City, Charlevoix, East Jordan, Cheboygan County, Cheboygan, Crawford County, Grayling, Eaton County, and Bellevue. [ View More ]

This is an attorney advertisement.

Branding by Zoyes Creative

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2024, The Health Law Partners, P.C.
JUSTIA Law Firm Blog Design