The auditors are coming. The U.S. Department of Health and Human Services (HHS) recently awarded KPMG, one of the Big Four auditing services, a $9.2 million contract to conduct 150 HIPAA compliance audits in 2012.
If an unexpected audit is likely to highlight significant HIPAA compliance issues, consider retaining a HIPAA consulting firm to bring the organization into compliance as quickly as possible.
These audits are required by law under the amendments made through the HITECH Act in 2009. This contract is meant to create a pilot program to evaluate the methods that HHS and contractors will use for their ongoing audit programs. What does this program mean for organizations that must comply with HIPAA? What happens during the audit, and what can you do to prepare? That's what we'll discuss in this tip.
Am I likely to be audited?
Overall, the chances of any specific organization being included in the pilot sample group are quite small. The scope of this year’s pilot program is limited to 150 covered entities, and HHS has stated it will select a wide range of organizations to ensure the validity of its pilot program. Covered entities include: health care providers (doctors, hospitals, clinics, pharmacies and other providers), health plans (including outsourced health insurance programs and self-insured organizations), and health information clearinghouses. It would be surprising if any of these groups were left out of the pilot group.
While it might be logical to think the audits will focus only on the “big fish,” this is not the case. HHS plans to include organizations of all sizes in the pilot audit group and has explicitly stated that it will consider both individual and organizational providers of health care. So, yes, KPMG might be knocking on the door of your neighborhood physician or dentist. Again, it's statistically unlikely, but it could happen.
However, there is one group that doesn’t have to worry just yet. The scope of this pilot is limited to HIPAA-covered entities, so HIPAA business associates are off the hook for the time being. However, HHS stated they intend to include business associates in future audit programs.
How does the KPMG HIPAA audit process work?
If your company is selected as part of the initial KPMG pilot audit group, it will receive a letter from HHS’s Office of Civil Rights to provide notification of the audit parameters and of the organization's mandatory participation under the HIPAA Enforcement Rule. Expect the audit itself to take at least three months and include an on-site visit. Here’s the basic outline of the process:
- The organization receives an audit notification letter from HHS and is asked to submit documentation describing its security and privacy program.
- KPMG conducts an on-site audit, including interviews and observation of business processes for compliance.
- KPMG prepares a draft audit report and shares it with the auditee.
- The auditee has an opportunity to discuss concerns about the report with KPMG, and provide a management response to the audit findings.
- KPMG submits the final audit report to HHS.
HHS will use the complete body of work, that is, the summary of all 150 audits combined, to identify best practices for HIPAA security, as well as the effectiveness of compliance programs in the health care industry. It also reserves the right to initiate compliance reviews of organizations identified as having a “serious compliance issue.” KPMG expects to complete all of the audits in the pilot program by December 2012.
What should we be doing to prepare?
Hopefully, most organizations that are bound by HIPAA compliance are already prepared for the possibility of a HIPAA audit. If an enterprise's business practices are designed to comply with the HIPAA Security Rule and the HIPAA Privacy Rule, it shouldn’t have anything to worry about. If an unexpected audit is likely to highlight significant HIPAA compliance issues, consider retaining a HIPAA consulting firm (and perhaps legal counsel) to bring the organization into compliance as quickly as possible.
Assuming an enterprise's operations are generally compliant, the most important thing to do to prepare for the auditors’ arrival is to get the organization's documentation in order. If it hasn't already been done, collect all of the organization's risk assessment materials, especially those pertaining to controls designated as “addressable” under HIPAA, and prepare a summary of the compliance program for the auditors.
Remember, the best way to make any formal audit easier is to make the job easier for the auditor. HIPAA audits are no exception. Good luck!
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on network security for its Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.