The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has begun the pilot phase of HIPAA privacy and security audits of health care providers, health insurers and health care clearinghouses (“covered entities”) to assess HIPAA compliance efforts.
While covered entities will be the focus of initial audits, business associates – organizations that provide services on behalf of covered entities and who as a result have access to protected health information (PHI) – will be included in future audits. Up to 150 covered entities will be subject to the initial audits, to be conducted by KPMG, LLP, the OCR audit contractor. Once notified in writing that the entity has been selected to be audited, entities will be required to provide requested information to KPMG, allow an on-site visit, and respond to the auditor’s initial report. Although the OCR says that audits are primarily a “compliance improvement activity,” the OCR may take further action if the audit uncovers serious HIPAA compliance issues. As a result of this audit process, all covered entities and their business associates should review their HIPAA privacy and security practices.
Download the full article here (PDF):