Products & Services

HIPAA Compliance Audits: Your Newest Risk for Providers?

By Elizabeth Lamkin, Partner and Greg Calosso, Senior Consultant   on   February 2, 2012

Providers now have yet another audit to worry about: the HIPAA Compliance Audit Program.  In 2011, the Office of Civil Rights (OCR) extracted a few massive settlements and fines for HIPAA violations: Cignet Health paid $4.3M civil fine,1 Massachusetts General Hospital paid a $1M settlement,2 and UCLA Health System paid an $865k settlement.3 Now in 2012, we can expect many more to come.

In June 2011, the Department of Health and Human Services (HHS) awarded KPMG a $9.2M contract to develop protocols for and to conduct Health Insurance Portability and Accountability Act (HIPAA) Audits.  These audits are in response to Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH-Act) which requires HHS to conduct periodic HIPAA audits to ensure that covered entities and business associates are in compliance with the Privacy and Security Rules as part of the American Recovery and Reinvestment Act of 2009.  The HITECH Act expanded the scope of criminal charges and increased potential civil penalties for HIPAA violations to up to $1.5M per calendar year for the wrongful disclosure of protected health information.  Additionally, now penalties for known and improper HIPAA violations can result in up to $250k and 10 years of jail time.

Because HHS anticipates just 150 audits to come within the year, the chances of an individual provider being selected for an audit are low, but because the potential fines and settlements if audited could be extremely high, providers are strongly encouraged to review their HIPAA compliance and seek outside help to assess readiness when needed.

The program will be overseen by the HHS Office of Civil Rights (OCR).  Although the contract was awarded and announced in June 2011, the audits are expected to occur throughout this year until December 31, 2012, when the HITECH-Act funds expire.  However, these audits could continue past that date should the OCR have the resources to continue them and see them as necessary.

In 2011, HHS contracted twice with Booz Allen Hamilton - first in March to study audit methodologies in order to complete the audit project and later in June to assist in the identification of covered entities and business associates for audit.  However, coming up with a truly comprehensive list – especially one that includes business associates – will likely prove difficult. 

As with any type of accounting auditing and assurance process, the HIPAA audits will include a site visit and an audit report.  Site visits will include interviews with stakeholders such as the chief information officers, the entity’s legal counsel, health information management directors, and medical records directors.  Additionally, KPMG will examine physical features of the health information system and physical safeguards, daily operations, adherence to policies, and observation of compliance with HIPAA requirements. Just think as you walk through your facility if a lab report is inadvertently printed and lef on a desk-this could be seen as a HIPAA violation.

After the site visit and interviews, KPMG will create a final audit report, which will include:

1.Name and description of the audited entity
2. Audit timeline and methodology
3. Information on best practices observed
4. Raw data collected such as interview notes and completed checklists
5. For each finding:
- Condition: The defect or noncompliant status observed (including evidence)
- Criteria: A clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation
- Cause: The reason that the condition exists, along with identification of supporting documentation use
- Effect: The risk or noncompliant status that results from the finding
- Recommendations for addressing each finding
- Entity corrective actions taken, if any
6. Conclusion and statement of audit completion4

The final audit report will also include recommendations for actions the audited entity can take to address compliance problems identified in the report through a corrective action plan. The report will also include recommendations to HHS about the need for continued corrective action, if any, and recommendations for future oversight.”4

How can providers defend themselves?  The key is preparation.  Knowing what current HIPAA regulations exist and ensuring that your organization is in compliance through self audit and policy review is the best that can be done to avoid an audit with negative findings.  Several new tools are being offered to assist with this process, including one offered by The National Institute of Standards and Technology (NIST) for free online, called the “HIPAA Security Rule Toolkit.”  The toolkit is a self-assessment tool which assists with identifying where current safeguards are missing or lacking and require improvement (visit: to download).  If there are indications that your current system is not up to HIPAA standards and you require assistance, several consulting and legal firms specialized in the field are available to assist with proactive audits, readiness assessment and the appropriate corrective action.

to view the original publication, visit our friends at


  1. HHS Press Office. “HHS imposes a $4.3 million civil money penalty for violations of the HIPAA Privacy Rule.” February 2011. HHS Website, Accessed January 24, 2012.
  2. HHS Press Office. “Massachusetts General Hospital settles potential HIPAA violations.” Febuary 2011. HHS Website, Accessed January 24, 2012.
  3. HHS Press Office.  “University of California settles HIPAA Privacy and Security case involving UCLA Health System facilities” July 2011. HHS Website,, Accessed January 24, 2012.
  4. “OCR HIPAA Audit Protocol and Program Performance.” June 2011. Federal Business Opportunites Website. Accessed January 24, 2012.

FREE copy RAC Roadmap for CV Services.

Enter your email address to receive a FREE copy of our RAC Roadmap for CV Services.
We value your privacy and will not share your email address.