This month, the HHS Office for Civil Rights begins HIPAA audits to assess covered entities' compliance with the privacy, security and breach notification rules. KPMG, the consultancy firm which is the contractor for these audits, has developed audit protocols and will conduct up to 150 audits within roughly the next year.

The audits will start with 20 "initial" audits to test the protocols. "The results of the initial audits will inform how the rest of the audits will be conducted," according to a new OCR Web page with information on the program. OCR will focus on auditing covered entities of various sizes and functions initially, with business associates being included in future audits. "We expect covered entities to provide the auditors their full cooperation and support, and remind them of their cooperation obligations under the HIPAA Enforcement Rule."

OCR will notify in writing those covered entities selected for audit (OCR does not explain how entities will be selected). The notification will explain the program and describe initial document and information requests, which should be provided within 10 business days. Selected covered entities can expect a site visit between 30 and 90 days after notification.

OCR will use KPMG’s audit reports to determine the types of technical assistance that should be developed and what types of corrective actions are most effective. "Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem," according to the office. "OCR will not post any listing of audited entities or the findings of an individual audit which clearly identifies the audited entity."

Click here to learn more.