Here come the HIPAA audits!  On June 20, 2011, the US Department of Health and Human Services award of a contract to KPMG to provide HIPAA audit services was posted on the Web site.

The contract calls for the development of methodology and audits at 150 HIPAA entities by the end of 2012.  For an advisory on the topic from Davis, Wright, Tremaine, LLP, see:   For the posting, please see  -or-


Holy cow!  That’s like what, 8.5 audits per month?  I guess we’ll have some better information on what goes into these before long now, and here’s hoping the folks at HHS OCR are good about posting the procedures and questions once KPMG designs them.  With these numbers, I’d be surprised to not hear about audit content leaked by an employee once they get under way.  At any rate, these audits, promised by HITECH to be under way already, should help provide some insight into HHS OCR’s (and KPMG’s) understanding of the regulations so we can all make better compliance decisions.  Just how Addressable is encryption and under what circumstances?  Let’s just hope you don’t get selected for round one — KPMB has quite a task ahead, just to enumerate all the entities covered under HIPAA so they can figure out who should be audited in a fairly random way.  You don’t want to be the guinea pig for the new program, no matter how good your compliance is.  Here’s hoping!