Following the mandate set forth in HITECH, OCR has just announced that it's piloting a HIPAA compliance audit program beginning this month in order to assess HIPAA compliance efforts. During this pilot phase, which is expected to last through December 2012, OCR will audit up to 150 covered entities from "as wide a range of types and sizes of covered entities as possible." At least for now, Business Associates will not be included in the pilot program. OCR has engaged KPMG LLP to conduct the audits, and has made public a sample initial notification letter.
Each audit will include a request for documents and information, a site visit, and a draft audit report. Covered entities will have the ability to comment on the auditor's report before its finalized. While OCR states that it primarily will be using the audit reports to help develop technical assistance and evaluate the efficacy of corrective action plans, OCR is retaining the right to initiate a compliance review to evaluate any serious compliance issues uncovered during this process. At the conclusion of the pilot program, OCR will "broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges." What happens after the pilot program, however, remains to be seen.