The random HIPAA compliance audits mandated under the HITECH Act will begin this month. Yesterday, the HHS Office of Civil Rights (OCR) announced that every covered entity and business associate is eligible for an audit. To guide future audit efforts, a wide range of types and sizes of covered entities will be selected. Based on the results, OCR will refine the audit methodology. Eligible entities include both individual and organizational health providers, health plans of all sizes and functions, and health care clearinghouses.
OCR contracted with KPMG of McLean, Virginia to implement the pilot audit program which was designed by consultant Booz Allen Hamilton. As previously reported, this pilot program will include 150 compliance audits over the next 13 months.
Entities selected for audit will be notified by mail and asked to submit documentation of compliance efforts in advance of an onsite visit. The onsite portion of the audit is expected to take between 3 and 10 business days depending on the size of the audit. Audited entities will have the opportunity to review a draft report and provide comments which will be incorporated into the final report submitted to OCR.
According to OCR, these audits are primarily a compliance improvement activity. Should an audit indicate a serious compliance issue, OCR may “initiate a compliance review to address the problem.” While OCR did not explicitly say this, the compliance review could lead to civil monetary penalties, a negotiated settlement along with a “corporate integrity agreement” and/or referrals to the Department of Justice in the event that criminal conduct is suspected. OCR’s official statements can be viewed in their entirety at https://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html.
Because of the complexity of the HIPAA regulations, the generally lax enforcement to date, and the widespread failures uncovered by earlier CMS compliance audits of hospitals, this author believes that these audits will reveal widespread compliance failures. Proactive organizations can prepare by conducting their own internal audit, and/or contracting with an outside organization to conduct this audit. An effective compliance audit will include a prioritized remediation plan so that organizations can correct the most serious problems first.
