It is time for covered entities and business associates to jump start HIPAA privacy and security programs and make sure that everything is in compliance. GovInfoSecurity reports that the Department of Health and Human Services (HHS) has awarded a $9.2 million contract to KPMG to develop protocols for conducting the long-awaited HITECH Act-mandated HIPAA compliance audit program. It’s reported in the bid synopsis that the program will include 150 site visits of covered entities and business associates by the end of 2012.
Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements….
There is no information in the contract bid document about how entities will be selected for audit or whether the auditors will review general compliance with the HIPAA Privacy and Security Rules or something more focused and specific. There is also no insight as to whether the written audit reports will be used by HHS for enforcement purposes.