By: Helen Oscislawski, Prinicpal at Attorneys at Oscislawski LLC

The United States Department of Health and Human Services (HHS) has announced that it will begin HIPAA audits of covered entities and business associates this November 2011, and its contracted auditor, KPMG, is required to audit up to 150 entities by the end of 2012!  HHS’s website provides detailed information regarding when the audits will begin, who may be audited, how the audit program will work, what the general timeline will be for an audit, and, generally, what will happen after an audit is completed. In addition, HHS's sample Audit Letter indicates that KPMG will focus on discovering vulnerabilities in privacy and security compliance programs, and that certain “information” and “documents” will be requested in connection with the audit. However, no additional details are given regarding what covered entities and business associates may be asked to produce.

Presumably, KPMG will not be letting the HIPAA audit cat out of the bag too soon by telling organizations exactly what information and documents they may ask for in connection with such audits, especially where one of their objectives is to identify gaps in HIPAA compliance. Nevertheless, covered entities and business associates may gain valuable insight into what to expect by looking to past guidance regarding HIPAA audits issued by HSS’s Office of e-Health Standards and Services (the “HIPAA Audit Checklist”), as well as by reviewing HIPAA audits and investigations that have taken place over the last few years.

In its formerly-released HIPAA Audit Checklist, the Office of e-Health lists out the types of personnel that may be interviewed, and the the types of policies, procedures and other documentation and evidence that may be requested.  In addition, the audit of Atlanta, Georgia’s Piedmont Hospital is informative. In February of 2007, HHS through the Office of Inspector General conducted a random HIPAA audit of Piedmont hospital.  The letter to Piedmont’s CIO announced that the focus of the audit would be on the organization’s compliance with the Security Rule and indicated that the audit would begin with an “entrance conference” 10 days after Piedmont’s receipt of the audit letter from the Regional Inspector General for Audit Services (note that the proposed timeframe for coming KPMG audits is 30-90 calendar days from the date on the applicable HHS Audit Letter).  The Piedmont audit letter also included an enclosure asking for a list of documents and information to be provided, which overlapped significantly with the Office of e-Health’s HIPAA Audit Checklist!   Covered entities and business associates may also glean additional insight from what HHS/OCR has asked for in connection with complaint-driven HIPAA investigations. HHS/OCR has posted on its website several Resolution Agreements with covered entities who have been through a HIPAA investigation.  These agreements also contain hints as to what covered entities and business associates may be asked for during a HIPAA Audit.

Until news of organizations starting to receive HIPAA audit letters starts to trickle out and KPMG begins its work, it is not possible to know exactly what KPMG will ask for and focus on.  Nevertheless, covered entities and business associates should not sit back and take a “wait and see” approach.  Rather, organizations should prepare now by completing an internal review of their HIPAA compliance program to ensure that their policies are current and are being followed by their workforce, and all other required HIPAA documentation is in place and ready to be produced in case a HIPAA Audit letter arrives in the mailbox tomorrow.

Click here to download a copy of Oscislawski LLC's November edition of "Health Law Diagnosis", which includes a list of HIPAA compliance items that all covered entities and business associates should have in order to be prepared for a HIPAA Audit.