Skip to main content

The HIPAA Auditors Are Coming! The HIPAA Auditors Are Coming!

It is time for covered entities and business associates to jump start HIPAA privacy and security programs and make sure that everything is in compliance.   GovInfoSecurity reports that the Department of Health and Human Services (HHS) has awarded a $9.2 million contract to KPMG to develop protocols for conducting the long-awaited HITECH Act-mandated HIPAA compliance audit program.   It's reported in the bid synopsis that the program will include 150 site visits of covered entities and business associates by the end of 2012. 

Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements....

There is no information in the contract bid document about how entities will be selected for audit or whether the auditors will review general compliance with the HIPAA Privacy and Security Rules or something more focused and specific.  There is also no insight as to whether the written audit reports will be used by HHS for enforcement purposes.  

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.