Leon Rodriquez the head of OCR, in an interview, stated that the 150 HIPAA audits is just a pilot program.
OCR recently hired the consulting firm KPMG to launch a HIPAA compliance audit program, with 150 audits anticipated by the end of 2012. Because this is the first time the office is conducting audits, the effort amounts to a pilot, Rodriguez says. As a result, he’ll be reviewing “how an audit program best advances our enforcement goals.
Rodriquez’s comment is insightful in the fact that the 150 HIPAA audits are just a start. He makes it clear that they are using these audits to further develop the audit process. He also made it clear that he feels enforcement leads to compliance. So the question is what happens after 2012 and the 150 audits? Will there be an increased amount of audits in 2013? Based on 2012 being a pilot program I would say it is safe to assume that the audits will not end in 2012 and will most likely increase in 2013.
Susan McAndrew the deputy director of OCR said in an interview that it wasn’t clear that business associates would be part of the initial 150 audits. Using the 150 audits as a pilot it is also probably safe to assume that if business associates are not part of the initial audit, they will be targeted in audits after 2013.
So if you said to yourself that OCR is only doing 150 audits and your chances of being audited is very small, you may want to rethink what happens after 2012. 150 audits out of the total amount of covered entities and business associates is very small but if OCR uses the audits to refine their process there could be a larger amount of audits after 2012.
Instead of looking at the 150 audits as low risk to an organization, covered entities and business associates should view them as an opportunity to work on becoming compliant before OCR ramps up their audit program in 2013.