In June 2011, KPMG was awarded the contract to conduct HIPAA audits and develop an audit protocol on behalf of Health and Human Services (HHS) Office for Civil Rights (OCR). During the initial test phase, from November 2011 through March 2012, 20 covered entities were audited. As a result of these initial audits, in June 2012, OCR published on its website the HIPAA Audit Protocol, which contains the requirements which will be assessed during the OCR HIPAA Audit program. The protocol covers the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule requirements, as well as audit procedures and what will be expected of covered entities.
User activity monitoring was found to be the #1 deficiency in the first 20 audits, accounting for nearly one-quarter of the issues identified for non-compliance with the HIPAA Security Rule. FairWarning's solution for patient privacy monitoring map directly to 13 key requirements of the recently announced OCR HIPAA Audit Protocol requirements and influence many others, which are focused on both the management process and audit controls for applications containing PHI. Many of the protocols are problematic if not impossible to address without FairWarning.