In June 2011, the DHHS Office of Civil Rights (“OCR”) awarded KPMG, LLP, a $9.2 million contract to audit covered entities and business associates for HIPAA compliance as required by the HITECH Act. The first phase, from fall 2011 through 2012 will cover 150 covered entities. The OCR plans to move away from auditing based on responses to complaints or breaches to audits based on risk factors, such as the size and type of the covered entity.

OCR identified the following as key areas for the audits with incident detection and response as the top issue:

• Incident detection and response.
• Access log review.
• Secure wireless network.
• User access and passwords management.
• Theft or loss of mobile devices.
• Up-to-date software.
• Role-based access—lack of information access management.

The Security Rule’s Security Incident Reporting Standard requires a report procedure and a response procedure. The report procedure specifies who reports what and to whom and whether any particular form, format, and contents of the report are required. The response procedure specifies what the person receiving the report is supposed to do with it.

Handling a HIPAA security incident is crucial because the maximum fine of $50,000 per violation is for those breaches based on willful neglect that the covered entity did not handle properly as opposed to a $10,000 fine if it did handle the breach properly.

For a brand new resource on how to handle a breach properly, see my forthcoming book, “Handling HIPAA Breaches, Complaints, and Investigations: Everything That You Need to Know.” If you would like a prepublication discount on this new book, please email Sherry at sherry@veteranspress.com or call her toll-free at 855-341-8783, ext. 303.