HIPAA Audit Program Launched; Plan Sponsors' Action Steps

By Sibson Consulting Nov 23, 2011

In November 2011, the U.S. Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) announced a new effort to audit the compliance of covered entities and business associates with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

The audit programis required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The pilot phase, ending in December 2012, will involve audits of 150 covered entities.

OCR to Decide Audit Targets

Covered entities include fully insured and self-insured group health plans. The OCR will select the covered entities that will be audited. It stated that it intends to select a wide range of types and sizes of covered entities. Drivers of the selection process could include complaints and media reports about privacy and security breaches. The OCR says it will not post a list of the audited entities or findings from an audit that would identify the audited entity clearly. Selected entities will receive a letter from the OCR along with a document request from the contractor performing the audits.

Audits Conducted by Private Contractor

The OCR has engaged accounting firm KPMG LLP to conduct the audits. Entities that are being audited will be required to respond to KPMG document requests within 10 business days of receipt and will likely have 30 to 90 days’ notice of the on-site visit by KPMG. The on-site visit will last three to 10 business days depending on the complexity of the organization. KPMG will provide its draft report to the audited entity for review and comment, give the entity 10 business days for that review and then submit its final report to the OCR.

Action Steps for Plan Sponsors

Plan sponsors that are notified by the OCR that the plan is being audited should contact legal counsel immediately because covered entities will be expected to provide requested documentation within 10 business days and will need to get prepared for the site visit by KPMG.

Even in the absence of an official audit, plan sponsors should review their compliance program to make sure that the plan’s policies and procedures are up to date, include breach notification policies and procedures, and are consistent with actual privacy and security practices.

Plan sponsors that have not done a periodic HIPAA security risk assessment since their initial assessment in 2004 or 2005 should do so. This is particularly important if the plan has adopted new systems, technologies or web sites with interactive features.

In 2012 the OCR is expected to issue additional final regulations under Health Information Technology for Economic and Clinical Health (HITECH) Act (including new restrictions on marketing communications, changes to individual rights and new business associate rules) and the Genetic Information Nondiscrimination Act (GINA). These regulations will necessitate further amendments to privacy and security policies and training of benefits staff about these new policies.

Audit Results

If serious compliance problems are uncovered during an audit, the OCR may initiate a compliance review to address the problem. In general, the OCR will use the audit results as a whole to gain a better understanding of problems that regulated entities are having and the types of corrective actions that are most effective as well as to provide technical assistance and promote best practices.

Breach Notification Reports

The HITECH Act requires covered entities and business associates to comply with breach notification provisions that took effect in September 2009. Covered entities must notify affected individuals and the government (and sometimes the news media) when there is a breach of unsecured protected health information. In a report submitted to Congresssummarizing these breach reports, the OCR stated that in 2010 covered entities were required to notify 5.4 million individuals about large-scale breaches that affected 500 or more people, with one breach alone (theft of back-up tapes) accounting for 1.9 million of these notices. The most common causes of large-scale breaches in 2010 are noted in the table below. The OCR website and database containing summaries of large-scale breaches provides information about 364 such incidents.

Large-Scale Breaches Reported in 2010

Type of Breach

Number of Individuals Affected

Theft of paper records or electronic media, including back-up tapes, laptop computers, desktop computers, smart phones, flash drives or network servers.


Loss of paper records or electronic media.


Unauthorized access to, use or disclosure of protected health information, including outsider hacking and access by unauthorized employees.


Human or technological error including misdirected mailings or e-mail.


Improper disposal of paper records


Source: OCR’s Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance for Calendar Years 2009 and 2010.

Other Enforcement Activities

Testimonypresented to Congress at a November 2011 hearing provided interesting statistics about enforcement efforts by the OCR and by the U.S. Department of Justice, which has authority to prosecute criminal violations of HIPAA. The OCR has received more than 64,000 complaints since April 2003, with the number of complaints increasing nearly every year. The OCR has required covered entities to change their privacy and security practices in 15,000 cases and has reached monetary settlements or assessed civil monetary penalties in seven cases, with amounts ranging from $35,000 to $4.3 million.

The OCR forwards complaints involving potential criminal violations to the Federal Bureau of Investigation (FBI), which investigates the matter and works with the appropriate U.S. Attorney’s Office to determine whether to bring charges. During fiscal year 2011, federal prosecutors brought 16 cases and obtained 16 convictions in cases where the primary charge was a violation of HIPAA. As of November 2011, the FBI had 56 pending investigations involving violations of HIPAA. Other cases were pending where HIPAA was one of the charges but not the primary one.

Sibson Consulting, a division of Segal, provides strategic human resources solutions to corporate and nonprofit employers. This article originally appeared in the Nov. 18, 2011, issue of Sibson Consulting e-newsletter Capital Checkup. Reposted with permission. This article is for informational purposes only and should not be construed as legal advice. On all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for legal advice.​


HR Education in a City Near You

Find a Seminar

Job Finder

Find an HR Job Near You


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect