The Department of Health and Human Services has awarded a $9.2 million contract to consulting firm KPMG to assist its Office for Civil Rights (OCR) in creating a protocol for conducting HIPAA privacy and security audits. The contract also calls for KPMG to conduct up to 150 audits by Dec. 31, 2012.
Audits will include site visits, including interviews with leadership (CIO, privacy officer, legal counsel, health information management director); examination of physical features and operations; consistency of process to policy, and observation of compliance with regulatory requirements.
OCR has taken on a much higher profile in recent years. That’s in part because in 2009 HHS transferred authority for the enforcement of HIPAA security provisions to OCR from the Centers for Medicare and Medicaid Services. Another new wrinkle under the Health Information Technology for Economic and Clinical Health (HITECH) Act is that state attorneys general can file civil lawsuits for HIPAA violations. In fact, health insurance company WellPoint Inc. just settled a data breach lawsuit brought by Indiana attorney general Greg Zoeller. WellPoint agreed to pay Indiana a $100,000 settlement over a data breach where the personal information of thousands of WellPoint customers was potentially accessible via the Internet.
The August print issue of Healthcare Informatics will include more in-depth coverage on what some leading healthcare organizations are doing to prepare for the possibility of an OCR audit.
For the August article, Susan McAndrew, deputy director for health information privacy, HHS Office for Civil Rights, talked about the ramped-up enforcement regime. “It is HHS’ expectation that covered entities and their business associates take these requirements seriously,” she said. “HHS will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”