On June 10, 2011, the Department of Health and Human Services (HHS) awarded to KPMG a $9.2 million contract to create an audit protocol and then audit covered entities’ and business associates’ compliance with the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The contract calls for as many as 150 audits of entities varying in size and scope before Dec. 31, 2012.

In light of the large numbers of HIPAA covered entities and business associates, the likelihood of being audited will be small. Nevertheless, now is a good time for covered entities and business associates to review their HIPAA privacy and security programs, ensure that their documentation is up to date, and assess whether their programs are effectively protecting protected health information.

The HITECH Act’s audit program

HHS, through the Office for Civil Rights (OCR), historically has investigated potential violations of the Privacy Rule (and more recently the Security Rule) based on the receipt of complaints. OCR also has initiated some “compliance reviews,” proactively initiating investigations of covered entities (often in response to media reports indicating noncompliance).

Section 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, requires HHS to, additionally, conduct periodic audits to ensure that HIPAA covered entities and business associates are complying with the Privacy and Security Rules.

HHS contracted with Booz Allen Hamilton in March 2010 to conduct a study of different audit methodologies. Booz Allen completed the contract in Aug. 2010, but HHS has not made the resulting report public.