Healthcare Data Braces for HIPAA Audits
Will your organization be on the list? Just a short few weeks ago, the US Department of Health and Human Services awarded a $9.2 million dollar contract to the professional services firm KPMG to provide HIPAA audit services. The awarded contract anticipates completing 150 audits that vary in size and scope.
According to the recovery.gov website to date, the firm has been awarded 16,458,384 in funds awarded over eighteen awards and said project has not started:
Solicitation Number:
OS57605
Notice Type:
Award Notice
Contract Award Date:
June 10, 2011
Contract Award Number:
GS23F8127H_HHSP233201100252G
Contract Award Dollar Amount:
9179011
Contractor Awarded Name:
KPMG
In the past, alleged violations of HIPAA rules were generally investigated pursuant to received complaints. This marks a very significant departure in that sense, and it is tied to provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act that contain specific reference to periodic compliance audits. The audits are scheduled to be completed before the end of 2012. If the audits started today that would be an average ten organizations audited per month. KPMG is likely in preparation for design and delivery on such an abbreviated schedule, if they have not started the audits already.
“Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements”
Some specifics on deliverables are also hinted at here, creating opportunities for questions and clues to the agency’s goals:
“After each site visit the contractor must submit an audit report. Audit reports consist of the following information:
a timeline and methodology of the audit; best practices noted; raw data collection materials such as completed checklists and interview notes; a certification indicating the audit is complete. The report must include specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan. The report must include recommendations to the COTR regarding continued need for corrective action, if any, and description of future oversight recommendations. Final Reports shall include, at minimum:
• Identification and description of the audited entity: Include, full name, address, EIN, contact person.
• Methods used to conduct the audit
• For each finding:
o Condition: the defect or noncompliant status observed, and evidence of each
o Criteria: a clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation
o Cause: The reason that the condition exists, along with identification of supporting documentation used
o Effect: the risk or noncompliant status that results from the finding
o Recommendations for addressing each finding
o Entity corrective actions taken, if any
• Acknowledgement of any best practice(s) or success(es).
• Overall conclusion paragraph”
Observers in the industry will be curious to see what this effort produces in the realm of HIPAA compliance. HIPAA fines have started to hit the news earlier this year in a number of high profile violations. What the Office for Civil Rights (OCR) and KPMG produce as their interpretation and application of HIPAA compliance will cause precedence that will be cited by practitioners throughout the healthcare industry.
It also seems that the HHS itself acknowledges the uncertain nature of elements in the proposal:
“The nature of this work makes it impossible to anticipate the level of effort needed for each audit. The government anticipates completing 150 audits of entities varying in size and scope. The first part of this requirement which consists of developing the audit protocols is firm fixed price. The second portion of the requirement is also firm fixed price however due to vary nature each conducting each audit, the implementation portion of this requirement cannot be defined in manner to enable a firm fixed price methodology.”
A prior awarded $178,000 contract, titled OCR HIPAA Audit Candidate Identification, was awarded to Booz Allen Hamilton, ostensibly to provide identification of the candidates for these audits. Among the many elements that are not yet clear include questions about the scope of the audits and whether they are projected to be educational to the industry, as opposed to being positioned as tools for levying penalties. Many organizations will again be watching these developments in the months to come.
What will surely emerge are identifying opportunities to reduce risk, protect patient data, and avoid compromises altogether. This is where leading technologies and services can provide value and fill gaps. Using analytic capabilities, an organization can start to look at what issues can be addressed by intelligent analysis and make predictive, significant gains at securing their environments and reducing risk. Using technologies such as advanced logging, an organization can become aware of incidents and recurring issues that affect that risk posture and provide additional forensic capabilities. Advanced security services, such as penetration testing, compliance advisory, and best practices can specifically help health organizations overcome their weaknesses and deliver on their responsibilities as possessors of health information.
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU