Aug 16 2011

HHS Identifies HIPAA Audit Goals

The Health Information Technology for Economic and Clinical Health (HITECH) Act mandates that the U.S. Department of Health and Human Services (HHS) conduct audits of covered entity and business associate compliance with HIPAA rules. HHS’ Office for Civil Rights (OCR) is charged with HIPAA enforcement responsibility and has awarded a $9.2 million contract to KPMG, LLP to assist in designing and carrying out the HIPAA audits.

In a recent webinar hosted by the International Association of Privacy Professionals (IAPP), OCR’s Deputy Director for Health Information Privacy provided key goals of a HIPAA audit, including:

  • Incident detection and response

  • Access log review

  • Secure wireless network

  • User access and passwords management

  • Theft or loss of mobile devices

  • Up-to-date software

  • Role-based access/lack of information access management

The first phase of the audits is expected to begin this fall and should conclude by the end of December 2012. OCR anticipates that it will visit to up to 150 covered entities during the first phase of audits. OCR and KPMG are currently working on a model for objectively selecting organizations for audit based on a number of risk factors including size, type of entity, and incidents. Selected entities should receive advanced notice before any audits.

New information regarding the HIPAA audits, when released, should be available via the OCR. The IAPP’s webinar is available to order here.