HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



OCR hires contractor for HIPAA audit plan

Email This Post Print This Post

Thanks to Adam Greene of Davis Wright Tremaine for this tip:

The Office for Civil Rights (OCR) has hired an organization to implement its HITECH-required HIPAA compliance auditing plan.

OCR went with KPMG of McLean, Va., to assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by HITECH.

According to a snapshot of the contract provided by HHS, KPMG in the $9.2 million contract will end up auditing 150 entities varying in size by Dec. 31 2012. HITECH required “periodic audits” of covered entities and business associates to ensure HIPAA compliance. OCR had hired Booz Allen Hamilton to recommend a model HIPAA auditing plan, and now has hired KPMG to implement it.

Writes Greene on his website:

“The awarding of the audit contracts raises as many questions as it answers. We do not know the scope of the audits, such as whether KPMG will review general compliance with the Privacy and Security Rules or whether the audits will be focused on specific issues. Once Booz Allen Hamilton completes its contract to identify audit candidates, we do not know how entities will be selected for audit. … We do not know what will happen if an entity is selected for audit and it has an existing relationship with KPMG; KPMG may need to use a subcontractor to conduct such audits. Most importantly, we do not know whether the audit program will be used as an enforcement tool (leading to resolution agreements or civil monetary penalties), or whether it will be used strictly as an educational tool to improve general compliance.”

The new contractor’s duties will include the following:

  • Site visits that include:
    • Interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director
    • Examination of physical features and operations
    • Consistency of process to policy
    • Observation of compliance with regulatory requirements
  • An audit report that covers the following:
    • Timeline and methodology of the audit
    • Best practices noted
    • Raw data collection materials such as completed checklists and interview notes
    • Certification indicating the audit is complete
    • Specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan
    • Recommendations regarding continued need for corrective action, if any
    • Description of future oversight recommendations

Further, KPMG will produce a final report based on the audits will include, at minimum:

  • Methods used to conduct the audit
  • Findings that include:
    • Condition: the defect or noncompliant status observed, and evidence of each
    • Criteria: a clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation
    • Cause: The reason that the condition exists, along with identification of supporting documentation used 
    • Effect: the risk or noncompliant status that results from the finding 
    • Recommendations for addressing each finding 
  • Entity corrective actions taken, if any
  • Acknowledgement of any best practice(s) or success(es)
  • Overall conclusion paragraph

“Covered entities may wish to focus on checking that policies and procedures are up to date, rather than merely a binder sitting on a shelf, and ensure that the workforce has been appropriately trained (especially newer staff),” Greene writes. “Covered entities and business associates also may wish to do their own site visits to see that policies have been implemented among staff and that they are effective in protecting privacy. Some seemingly good privacy policies fail in the face of practical realities, such as human error, limited staff time, and limited resources.”

Categories : HHS, HITECH Act


  1. Frank Ruelas says:

    Well…at least we know the who…but as Adam points out so clearly…as to the how and what…this is a mystery.

    Another concern…150 audits by 12/31/12.

    One key aspect of auditing which I learned years ago has to do with expectations and education. To be brief…if an entity is going to be audited one of the precepts is that a clear identification of that which is being audited and how the audit will compile its findings. It certainly appears that we are no where in this ballpark yet….


Leave a Reply