May 2012 Volume 8 Number 9

Early Results from New HIPAA Audit Pilot Reveal Emphasis on Policy Documentation and Business Associate Agreements

By Richard B. Wagner, IVANS, Stamford, CT1

AuthorCovered Entities and Business Associates, beware. This year marks the embryonic phase of a new initiative spearheaded by the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) in an attempt to curb violations of the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)2 through the use of randomized audits. All of the HIPAA audits performed this year are part of a pilot program expected to be expanded in 2013 and beyond, and the information gathered thus far has been branded by OCR as “a new opportunity to examine mechanisms for compliance [and to] identify best practices….”3 Despite these benevolent overtures, covered entities should nonetheless be on guard should their organization be selected for a pilot audit. Moreover, in order to survive audits in future years, covered entities and business associates alike must establish appropriate policies now. Looking into the early audit results can give these organizations a good idea of what sort of expectations they will be required to meet in the future.

The Audit Pilot Program

Departing from the previous lax HIPAA compliance enforcement regime, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of the American Recovery and Reinvestment Act (“ARRA”)4 requires HHS to perform periodic audits5 to ensure that covered entities and business associates comply with HIPAA’s Privacy and Security Rules. Last November, nearly three years after the enactment of HITECH, OCR began implementing the audit provision, announcing a pilot program6 running throughout 2012 to authorize up to 150 audits of covered entities in which it would assess data privacy and security compliance.

OCR contracted with auditing giant KPMG to perform the reviews,7 and OCR kicked off what was dubbed “the pilot of the pilot”8 by randomly selecting 20 covered entities at the end of last year. The distribution of these 20 entities broke down into 10 large provider groups, eight payors, and two clearinghouses,9 and this 50 percent-40 percent-10 percent entity distribution is expected to remain constant throughout the remainder of the pilot. Notably, business associates will be immune from audit selection during the 2012 pilot phase,10 but this is expected to change should OCR expand the program in 2013, as HITECH explicitly subjects business associates to the HIPAA audits as well.

For more information related this topic, the Health Law Section is hosting a webinar
HIPAA and HITECH Act Fundamentals: What You Need to Know Now About the Privacy and Security Rules

on June 7, 2012.

Early Results

Based on feedback from initial audits, the process seems to be fairly consistent from entity to entity. Selectees are first notified by KPMG and are given just 10 days, starting from the postmarked date of the KPMG notice, to respond to an initial request for documents. Documents requested include privacy policy and procedure manuals, workforce training documentation, incident response plans (including breach response), and risk analyses and their associated documented risk mitigation plans. This is followed by a pre-audit conference in which the KPMG auditors convey to the covered entity what to expect out of the process. The audit itself lasts anywhere from six to 10 days, with a team of three to five auditors performing operational reviews, procedural evaluations, and employee interviews. At the conclusion of the on-site portion of the audit, KPMG provides the covered entity with an initial out-brief while taking anywhere from 20 to 30 days to prepare its separate official report. The site then has 10 days to prepare a response to the report, followed by KPMG amending its findings, if necessary.

Once finalized, the auditor’s report yields four possible outcomes, in order of increasing severity: (1) the report could yield no major compliance gaps, and only a simple compliance action plan is presented; (2) significant issues could be found, and the report will present its concerns along with a proposed remediation plan; (3) the auditors could identify a serious deficiency, warranting elevation and further review by OCR; (4) the report could uncover willful neglect, again leading to OCR notification and along with it various fines and other charges.11 Early indications suggest that the majority of audits performed thus far have fallen into the first two categories.12 This more or less follows in line with OCR’s statement that the “[a]udits are primarily a compliance improvement activity,”13 designed to establish best practices for covered entities and business associates alike. Moreover, OCR will likely look to further develop an evidence-based approach in forming future initiatives based on the results it gets back from the pilot audits.

Nevertheless, covered entities should still proceed with great caution in order to avoid a charge of serious deficiency or willful neglect. As the pilot audits have shown, the organizations best suited to do this will be those who have explicitly documented their HIPAA compliance initiatives, especially those concerning issues of policy and technical controls (encryption and mobile media are two major areas of focus), data disposition, breach procedures, and risk assessment processes.14 In addition, covered entities must be able to show sound business associate relationship practices by entering into and storing business associate agreements with all business partners that handle protected health information.15

Moving Beyond the Pilot

According to OCR, the final period of review and subsequent adjustment of the audit protocol stemming from the first 20 audits was scheduled to conclude by the end of April, with the execution of the remaining 100-130 audits to run from May until the end of the year.16 Despite the low probability of being selected for one of these remaining pilot audits, covered entities as well as business associates should start immediately implementing HIPAA compliance documentation practices in advance of the expansion of the program in 2013.

OCR, via its auditors, has made it clear that the general theme of the audits is “show me your written policy, and show me you followed it.”17 In many ways this approach mirrors recent OCR enforcement actions against covered entities for discovered violations of the HIPAA Privacy and Security Rules. In one recent such action, OCR levied a $100,000 fine and a corrective action plan on an Arizona physician practice after discovering that the group was making clinical and surgical appointment information publically available on an internet calendar.18 After its investigation, OCR discovered that the physician group neglected to obtain proper documentation for many required processes, including data safekeeping policies, employee training logs, risk analyses, and even business associate agreements.19

Though ex post investigations detailed in this example differ from the ex ante HIPAA audits in timing, they still underscore OCR’s emphasis on proper documentation. Because of this, the covered entity that waits to craft written procedures or obtain business associate agreements until it gets the KPMG letter in the mail will be too late. The 2013 expansion may seem distant, but given the time needed to establish an audit trail, potential targets to those audits need to act immediately if they want to right the ship.


Richard B. Wagner, Esq., is the Chief Privacy Officer and Corporate Compliance Manager for IVANS, Inc., a health information technology network service provider headquartered in Stamford, CT. He can be reached at

2 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (1996); 45 C.F.R. parts 160 and 164 (HIPAA Privacy and Security Rules).

U.S. Department of Health & Human Services, HIPAA Privacy & Security Audit Program,


Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5 (Feb. 17, 2009), codified at 42 U.S.C. §§300jj et seq.; §§17901 et seq.


Id. at §13411.


HHS, supra n. 2.




Michael “Mac” McMillan, Chairman and CEO of CynergisTek, Inc., ABA eHealth Privacy and Security Interest Group Monthly Call, Feb. 17, 2012.


For the purposes of the pilot, hybrid entities will be categorized by the type of covered entity service they perform.


HHS, supra n. 2.

11 McMillan, supra n. 8.



HHS, supra n. 2.

14 McMillan, supra n. 8.



HHS, supra n. 2.


McMillan, supra n. 8.


HHS/OCR-Phoenix Cardiac Surgery Resolution Agreement,



The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.