OCR HIPAA Audits Finally Kick Off - Do They Matter?

more+
less-

The HITECH Act called for stepped-up HIPAA privacy and security and breach notification rule enforcement with respect to covered entities and business associates, to be accomplished by spot-check audits. This month, the first 20 of a planned 150 audit subjects will be getting notices from the U.S. Department of Health and Human Services Office of Civil Rights' contractor, KPMG, saying that their numbers are up. These early test cases will be a proving ground for the auditors and the audit process, as much as for the covered entities to be audited (no business associates in the first 20, or even in the whole batch of 150, apparently). The first round of 20 audits -- and a review of the audit protocols -- is slated to take about five months. Up to 130 other audits will follow, in the final eight months of this pilot. Each audit is supposed to take about 30 business days, and will include on-site interviews and investigations. Document requests are to be turned around in ten days, and KPMG will give 30-90 days advance notice of site visits. In theory, audits may bring to light issues that do not surface in the course of complaint investigations, and are expected to yield OCR guidance and highlighting of best practices.

Will this audit program change behavior of covered entities and business associates?

LOADING PDF: If there are any problems, click here to download the file.