UPDATED: 3:15 p.m.: The Office for Civil Rights at HHS has launched an audit program to test compliance by hospitals, office-based physicians, health plans and other "covered entities" with privacy and security rules under the Health Insurance Portability and Accountability Act of 1996.
OCR begins HIPAA compliance audits
The audit program was mandated by the American Recovery and Reinvestment Act of 2009. The current iteration comes after the Office of the Inspector General at HHS issued a pair of reports last spring criticizing the OCR and the Office of the National Coordinator at HHS for laxity in their approaches to ensuring the security of health records.
In response to an inquiry, the OCR responded via e-mail that the audit program launched Nov. 4 with the sending of notification letters to five of the first 20 entities to be audited. Additional letters are forthcoming, according to the OCR. All covered entities and business associates ultimately will be eligible to be audited, the OCR states on a page on its website about the audits. Business associates, which were accorded more direct liability under HIPAA by the stimulus law, "will be included in future audits," the agency notes.
Initially, 20 audits are planned; the first round of audits will serve to test audit protocols, and each audit in the first round will include a site visit. The OCR will complete as many as 150 audits by the end of December 2012, according to the agency's website.
In June, the OCR awarded a $9.2 million contract to consultant KPMG to conduct the audit program and awarded nearly $180,000 for a contract to consultant Booz Allen Hamilton to help identify audit candidates.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.