Skip to content

Are You Ready for the New HIPAA Audits?

by on July 12, 2011

Last week, the Department of Health and Human Services (HHS) announced that it has appointed KPMG as the official HIPAA privacy and security auditor. Under the contract, KPMG could conduct as many as 150 audits by the end of next year.

Audit_checklist
While 150 audits in the next year-and-a-half might not sound like a lot, for organizations considered “covered entities” under HIPAA, the significance is this: The KPMG contract marks the first step toward a proactive, structured HIPAA audit program with a target number of audits. Up to this point, HHS has conducted HIPAA investigations or reviews only when it receives a complaint or a media report of suspected noncompliance. So, last week’s announcement is effectively another wakeup call for organizations to assess their HIPAA compliance programs and take steps to fill any gaps, ASAP.

The announcement from HHS leaves lots of unanswered questions, points out Adam Greene of Davis Wright Tremaine LLP in a recent blog post that provides a comprehensive look at what last week’s news means. In addition to the excellent list of questions Greene raises, I add one more: Are you ready? If your business is one of the lucky few selected for a HIPAA audit, will you pass? What would the findings look like?

Greene also suggests some important next steps to help make sure that your business is ready—assessing your privacy and security programs by checking policies and procedures, reviewing staff training and conducting site visits, among others. Included in this review should be steps we’ve suggested in the past: Proactive testing and adjustment of archival procedures to satisfy HIPAA requirements. Simple IT security measures to ensure data integrity. A data retention policy and practices that include a methodology and tools to locate specific media—both online and offline—quickly and painlessly. (It so happens that our Vertices and VaultLedger products make it easy to manage storage media across your enterprise and include the capability to create comprehensive audit reports.)

While many questions remain about the details of the HHS audit program, one thing is clear: There’s a new HIPAA cop on the beat, and organizations would do well to prepare in advance for the small, yet all-too-serious, possibility of a HIPAA compliance audit.

What are you doing to stay compliant?

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: