Adam Greene, JD, MPH, a former regulator in HHS, recently shared details about the random audit program begun by the HHS Office of Civil Rights (OCR). The audit targets are selected using stratified random samples based on a database of covered entities created by OCR by consulting firm Booz Allen Hamilton. Four categories of organizations were created:
- Level 1: Large payers/providers (revenues > $1 Billion)
- Level 2: Regional hospital systems / regional insurers ($300M to $1 Billion)
- Level 3: Community hospitals, outpatient surgery centers, regional pharmacies, self-insured plans ($50M to $300M)
- Level 4: Small providers, community or rural pharmacies (less than $50M)
In order to better understand compliance patterns in all types of organizations, the audits will be split evenly between the 4 size levels. The audits are conducted by another contractor, KPMG. The lucky current selectees include:
| Health Plans | Providers |
| 1 State Medicaid Program | 3 physician practices |
| 1 State SCHIP Program | 3 hospitals |
| 3 Group Health Plans | 1 laboratory |
| 3 Health Insurance Companies | 1 dentist |
| 1 long term care facility | |
| 1 pharmacy |
The audits are rigorous reviews of the entire HIPAA compliance process conducted by teams of 3-5 auditors of different specialties. The process begins with an extensive documentation request, an on-site phase conducted by 3-5 auditors of different areas of expertise, a preliminary report, and a final report which includes the response by the audit target.
In cases where “serious non-compliance” is identified, a referral may be made to the Office of Civil rights compliance department and may lead to settlements/penalties.
Covered entities of all types are encouraged to conduct their own internal audit as one part of an overall compliance program, and to address deficiencies identified.
