On June 10, 2011, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) awarded KPMG a $9.2 million contract to develop a pilot HIPAA audit program mandated under the HITECH Act of 2009 to ensure compliance with the HIPAA Privacy and Security Rules and Breach Notification standards.
Between November 2011 and December 2012, the OCR will audit up to 150 covered entities.
What is My Risk?
OCR has made clear that enforcement actions may follow audits revealing significant HIPAA Security compliance issues.
In recent years, OCR has stepped up its enforcement activity:
• Massachusetts General Hospital. $1 million settlement and three-year Corrective Action Plan for loss of Protected Health Information (“PHI”) by employee. (February, 2011)
• Cignet Health. $4.3 million penalty for refusing patients access to their medical records. (February, 2011)
• UCLA Health System. $865,000 settlement and three-year Corrective Action Plan for allowing unauthorized access to patient medical records. (July, 2011)
Will My Organization Be Next?
The initial HIPAA audit program is focused on HIPAA-covered entities (i.e. health care providers, health plans and health care clearinghouses). With 150 audits planned and an aggressive timeline, covered entities should not be surprised to receive an audit request.
Please see full alert below for more information.
Firefox recommends the PDF Plugin for Mac OS X for viewing PDF documents in your browser.
We can also show you Legal Updates using the Google Viewer; however, you will need to be logged into Google Docs to view them.
Please choose one of the above to proceed!
LOADING PDF: If there are any problems, click here to download the file.