IAPP-GDPR Web Banners-300x250-FINAL


The Department of Health and Human Services’ Office for Civil Rights (OCR) is one step closer to fulfilling one of its mandates under the HITECH Act. The agency recently chose a firm to conduct HIPAA compliance audits at covered entities and business associates to ensure HIPAA compliance. KPMG, the firm chosen to carry out the work, is expected to conduct 150 audits by the end of 2012. The firm Booz Allen Hamilton will determine which covered entities and business associates should be audited.

We wondered, could this be a vision of the future of privacy? Could the HIPAA compliance audit program model be adopted by other, non-healthcare industries? If the program is successful, what should we expect, if anything, across the industry spectrum?

The Daily Dashboard asked leading privacy attorneys and consultants for their opinions. Here’s what they said.


Adam Greene
Partner, Davis Wright Tremaine LLP

“The HITECH Act calls for auditing covered entities (CEs) and business associates (BAs), so there is definitely the potential for audits of non-healthcare BAs (e.g., entities that are not healthcare companies but that host some personal health information for CEs). One of the biggest factors will be the success of Booz Allen in identifying the universe of BAs. I'm skeptical that it can be done reasonably well, and so I'm interested to see their approach.

As for the other questions, the future of these audits is very hard to predict once the HITECH funds run out. In the current budget climate, I don't envision a significant annual budget for such audits after 2012. However, HITECH provides that OCR gets to keep enforcement recoveries, so if the audit program is deemed a success, this may be where enforcement recoveries are allocated.”


Christine R. Ravago, CIPP, CISA
Manager, Advisory Services, Ernst & Young

“I would say the HIPAA compliance audit model has already bled into non-healthcare operations. We increasingly see companies that operate in complex environments—where only one facet of their operations is related to healthcare—take a conservative approach because of the potential risk to brand and reputation that a failure may cause. As a result, they are auditing their operations, both healthcare and non-healthcare components, to the standard demanded by HIPAA.”


Kirk J. Nahra, CIPP
Partner, Wiley Rein LLP

“The HIPAA compliance audit program is specifically mandated by statute, and addresses the very idiosyncratic requirements of the HIPAA Security Rule. I do not believe that an audit program—tied to a specific set of anticipated "answers" under the Security Rule—matches the overall approach of the rule very well. Therefore, I do not see this as being a particularly effective program in connection with the HIPAA Security Rule, nor do I see any realistic likelihood of a broad-based carryover to other areas. I expect that we will continue to see more and more detail to security compliance obligations, and ongoing enforcement in the event of breaches, but I do not see a likelihood of substantial ongoing proactive audit activities by any relevant regulatory agency.”   


Elizabeth Johnson
Partner, Poyner Spruill LLP

“Many regulators would have an important threshold to cross before they could effectively adopt the new OCR audit model; namely, the adoption of detailed privacy and information security requirements against which to audit private actors. In this country, detailed privacy and security requirements tend to be the exception rather than the rule. The situations where detailed privacy and security requirements are in place are industry-based or state-based. For example, HIPAA in the healthcare industry; the Massachusetts data security regulations that apply only when certain information about a Massachusetts resident is at issue; the insurance industry for which many states have adopted specific privacy and security requirements either by statute or regulation, and, of course, the financial industry, where the applicable regulators have adopted requirements (and developed audit standards) pursuant to Gramm-Leach-Bliley. These regulators could engage in detailed audits to assess compliance with the standards they enforce (and in the case of financial regulators, have done so for some time).

For most private businesses, however, the default regulators are (at the federal level) the FTC, which generally governs consumer matters, and the DOC, which governs commerce and, at the state level, state attorneys general. Those regulators have been relatively active in privacy and security enforcement, but do not usually have a detailed set of standards they can enforce against in the manner HHS is able to do for HIPAA. Instead, they apply general requirements, like prohibiting “unfair or deceptive trade practices” or (in many states laws) requiring “reasonable and appropriate security.” I think it would be impracticable and widely disputed by private industry if any of these regulators with more general authority tried to enforce a detailed set of standards, such as NIST or ISO, because those standards are not clearly mandated by the laws they enforce. In the absence of a detailed set of standards to audit against (like HIPAA), these regulators would not have a clear path to adopting the OCR audit model.

A number of factors are brewing that will or could dramatically change that. Most notably, there are a number of federal proposals in play that would potentially provide (or authorize the FTC to develop) stricter privacy and security requirements against which the FTC could audit in this fashion. States seem poised to include more detailed privacy and security requirements in their laws (Texas H.B. 300 being a recent example) and/or increasingly incorporate more specific standards into their laws by reference (such as Nevada incorporating PCI DSS and certain NIST specifications). As the requirements become more granular, the potential for audits of the type OCR is embarking on is greatly increased.

Once the standards are established, the OCR model will certainly carry appeal for federal agencies. It frees up their staff to engage in other endeavors; the consultants they are engaging arguably have greater audit experience and certainly more staff to conduct them, and the regulated community is likely to increase efforts toward compliance with the threat of an audit looming. The penalties associated with HIPAA noncompliance are more than sufficient to fund the agency’s contract with the auditor, so budget constraints should not present any hindrances. Recent HIPAA enforcement actions (UCLA, Rite Aid, CVS, Mass. General) have brought “resolution amounts” near or in excess of $1 million.

That goes a long way toward paying the $9.2 million contract with KPMG, which has not even begun to identify new enforcement targets based on the results of its audits.

The dangers for the regulated community in this model are many. Consultants are not lawyers and sometimes misconstrue legal requirements in their assessments. Hopefully the agency would be open to the enforcement target’s feedback in such cases. Judging by the number of HIPAA audits planed in a relatively short timeframe, it seems likely the work will be performed by multiple different teams, and KPMG may have to hire more personnel or subcontract. In either case, there is a danger of inconsistency in approach and results. The results are obviously crucially important to the enforcement target, which will face penalties up to $1.5 million per provision violated in a given calendar year. Since HIPAA includes dozens of substantive provisions, it is easily conceivable that targets could be fined multiple millions following from the audit, so the stakes are incredibly high.”


Agnes Bundy Scanlan, CIPP
Global Chief Privacy Officer, TDBG

“Based on a review of the HIPAA/HITECH, the HIPAA compliance audit requirements mandated by HITECH will extend to business associates. While HIPAA/HITECH compliance audit requirements touch non-healthcare industries (ie: financial institutions), it would seem that the possibility of an audit for a non-healthcare organization would be less likely given the large number of healthcare organizations that could be selected for an audit. However, it is important to recognize that since HITECH extended HIPAA compliance audit requirements to business associates, it would seem that someone (i.e., HHS) would come back to business associates to perform an audit. In addition to external audit concerns, organizations required to be HIPAA/HITECH compliant will also have to deal with state attorneys general, who will have the right to bring civil actions for HITECH violations and potential scrutiny from internal audit departments.”


Ross Federgreen, CIPP
Founder, CSRSI

“It is my belief that OCR/ HHS is very serious about the implementation of the HITECH audit provisions. OCR imposed it first civil monetary penalty of 4.3 million dollars in February, 2011  against Cignet Health and several days later reached a settlement with Massachusetts General Hospital for one million dollars. HIPAA was initially viewed 10 years ago as a viable compliance issue but rapidly fell into the realm of a toothless tiger. With the announcement that KPMG has been contracted to complete approximately 150 "audits" over the next 12 to 18 months for a fee of 9.2 million dollars and with the separate award to Booz-Allen to determine who shall be audited the process is very real.

The increased scope of the initiative, which now affects all "covered entities," and the potential utilization of this approach throughout the federal government's enforcement of privacy security matters is not surprising. Given the high visibility of identity theft and the universal political capital that solving this problem brings to legislators that verbalize and demonstrate a strong voice against these activities with emphasis on protection of the public, I believe that these types of actions will continue, increase in scope and increase across multiple areas that fall under federal jurisdiction.

The success of this program will lead to greater enforcement. This is the classic positive feedback loop. Success will be measured by the amount of dollars captured and the positive visibility of these efforts in the minds of the electorate.”


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»