This posting has been modified as of Sept. 8, 2011. Audit contracts are now available here.

By Adam H. Greene

In July 2011, DWT issued an advisory on HHS’ recent awarding of a contract to KPMG to conduct HIPAA privacy and security audits, available here. Since that time, we have obtained copies of the audit contracts, available here, and heard from the HHS Office for Civil Rights, shedding some additional light on what covered entities can expect:

• Audits that uncover major violations may lead to formal enforcement;
• The audits will focus on general privacy and security compliance;
• The contractor is expected to precede site visits with advanced requests for documentation, thereby providing some level of advanced notice;
• Audit teams are expected to consist of three to five persons and site visits are expected to last two to five days; and
• Pilot testing of the audit protocol is likely to begin later this year and proceed through January 2012, with the full round of audits occurring through the remainder of the year.

Audits as a Tool for Enforcement

The audit program will be used primarily to measure the state of compliance, but audit findings may lead to formal enforcement. Susan McAndrew, the Deputy Director of Privacy at the HHS Office for Civil Rights (OCR), has stated that “if we uncover, in the course of the audit, major violations or potential violations, we will be dealing with those in the same manner that we would through our formal enforcement process.” Additionally, the audit contract requires the contractor to inform the audited entity that “OCR may initiate further compliance enforcement action based on the content and findings of the audit, and that corrective action that cures identified deficiencies may serve to reduce or eliminate potential civil money penalties.”

Audits Will Assess General Privacy and Security Compliance

The audit contract requires the contractor to develop a protocol that covers the entirety of the privacy and security rules, but that can be broken into issue-specific modules for more focused audits:

The protocol should be a comprehensive methodology, serving as a single source of audit criteria, assessment methods, and procedures for the conduct of the HIPAA privacy and security compliance audits, reflecting the specific requirements that apply to each of the three types of covered entities; covered health care providers, health plans and health care clearinghouses.

The protocol should assess whether such entities have, consistent with these regulations, comprehensive policies and procedures to address critical requirements to which the entity is subject and to determine whether routine operations implement these policies and procedures consistently with the Rules. The audit protocol should provide for comprehensive assessment of policies, procedures, practices, systems, operations and infrastructure.

The protocol should cover the entire HIPAA Privacy and Security Rules as well as be designed so that modules of the protocol can be used for audits targeted to areas of high risk and frequent noncompliance as directed by the [Contract Officer’s Technical Representative]. The emphases should enable the audit to identify and address critical weaknesses of an entity’s compliance.

Elaborating on the scope of the audits, McAndrew stated that “we will be focusing primarily on more comprehensive aspects of compliance. That’s not to say that we won’t find a capacity within this pilot period for running a few audits that are more issue-directed.” Accordingly, it appears that OCR is focusing on general privacy and security audits in 2012, but is building out the capability to have more focused audits of specific areas of high-risk or frequent noncompliance.

While the HITECH Act calls for audits of covered entities and business associates, the above contractual language appears focused on covered entities. Likewise, McAndrew has indicated that audits initially will be focused on covered entities, and OCR is undecided as to whether to include business associates in the 2012 audits.

What to Expect from a Site Visit

The audit contract requires that every audit will include a site visit. McAndrew has stated that “[t]here will usually be advanced request for documentation and survey material from the covered entity so that the auditor can best use their time onsite to focus in on what they need to do and the people they need to talk to onsite.” Accordingly, it is likely that covered entities will have a significant amount of notice before an audit (although the covered entity may need to spend this time period scrambling to gather the information requested by the auditor).

The contract anticipates audit teams consisting of three to five persons, except that two to three persons may be used for “small non-complex practices.” Auditors should have expertise in compliance auditing, HIPAA privacy, HIPAA security and information technology auditing. The contract expects that site visits will typically last two to five days, depending on size and complexity. Site visits will include interviews with leadership, such as the chief information officer, privacy officer, legal counsel, and/or health information management/medical records director. They will also include examination of physical features and operations, consistency of process to policy, and observation of compliance with regulatory requirements.

The Timing of Audits

The audit program will consist of three stages—a pilot program of up to 20 audits, the primary round of audits, and an evaluation. McAndrew indicated that OCR intends for the pilot program to proceed through January 2012, with full audits occurring through the remainder of 2012. OCR has not yet awarded a contract for the evaluation of the audit program.

As for what happens after 2012, OCR has not made any decisions at this time, but instead will evaluate the results of these initial audits. OCR’s initial statements regarding business associates and issue-focused audits suggests plans for future audits beyond 2012. While budget’s around D.C. may be tight in the coming years and the HITECH Act funds for this program dry up at the end of 2012, the HITECH Act also provides that OCR retains any settlement amounts or penalties resulting from privacy and security enforcement. The continuation of this audit program may be a prime candidate for the allocation of such funds.