And the New HIPAA Cop Is … HHS Appoints Contractor to Conduct HIPAA Privacy and Security Audits

more+
less-

On June 10, 2011, the Department of Health and Human Services (HHS) awarded to KPMG a $9.2 million contract to create an audit protocol and then audit covered entities’ and business associates’ compliance with the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The contract calls for as many as 150 audits of entities varying in size and scope before Dec. 31, 2012.

In light of the large numbers of HIPAA covered entities and business associates, the likelihood of being audited will be small. Nevertheless, now is a good time for covered entities and business associates to review their HIPAA privacy and security programs, ensure that their documentation is up to date, and assess whether their programs are effectively protecting protected health information.

The HITECH Act’s audit program

HHS, through the Office for Civil Rights (OCR), historically has investigated potential violations of the Privacy Rule (and more recently the Security Rule) based on the receipt of complaints. OCR also has initiated some “compliance reviews,” proactively initiating investigations of covered entities (often in response to media reports indicating noncompliance).

Section 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, requires HHS to, additionally, conduct periodic audits to ensure that HIPAA covered entities and business associates are complying with the Privacy and Security Rules.

HHS contracted with Booz Allen Hamilton in March 2010 to conduct a study of different audit methodologies. Booz Allen completed the contract in Aug. 2010, but HHS has not made the resulting report public.

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Published In: Administrative Agency Updates, Consumer Protection Updates, Health Updates, Insurance Updates, Privacy Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »