Hospitals, physician practices, and other healthcare entities have long been subject to a variety of sometimes random audits. For example, IRS audits, payer audits by Medicare or private insurance companies, state Workers’ Compensation audits, federal Department of Labor audits can occur. To this list will shortly be added HIPAA audits. The United States Department of Health and Human Services (HHS) has announced that it has retained a contractor to begin doing random audits for HIPAA compliance in 2012. In June KPMG, LLP was awarded a $9.2 million contract to administer the audits. The audits are presently scheduled to commence prior to the end of 2011, with the first audit phase scheduled to end by December 31, 2012.

In addition to random audits, HIPAA compliance audits can be triggered by a breach involving the impermissible disclosure of Protected Health Information (PHI) that compromises the security or privacy of that information and which poses a significant risk of financial, reputational or other harm to the affected individual. HHS’s Office for Civil Rights (OCR) has ready access to information on breaches, due to provisions of the HITECH Act and related breach notification regulations requiring covered entities to report breaches no later than 60 days after discovery of a breach involving PHI of at least 500 individuals, and annually in the case of a breach involving fewer than 500 individuals.