I was fortunate enough to have a seminar attendee at my Dallas, Texas, Cross Country HIPAA seminar on August 23 whose hospital had been audited by the Department of Health and Human Services (“DHHS”) through its engagement of KPMG (see the January 22, 2012, blog post with guest commentator Richard D. Dvorak).

I asked the seminar attendee to write a guest blog entry about the experience, and she seemed willing, so I am hoping that she will. Something that she said about that audit, however, seemed important enough not to wait. She said that KPMG was not interested in seeing the hospital’s state of compliance as of the audit date. KPMG wanted a snapshot of where the hospital had been a year before the audit date. In other words, getting notified that KPMG is going to audit you and then throwing a bunch of stuff together to get compliant, such as doing your initial risk analysis, updating your initial risk analysis, and adopting policies, won’t be particularly helpful for you—not that you shouldn’t do it to avoid other liabilities besides getting dinged on an audit.

Her hospital had done a risk analysis, had implemented polices, and so forth, and although they had a couple of minor dings, KPMG found no deficiencies that would result in an adverse enforcement action. So the good news is that it can be done. But don’t wait until you get notice of the impending audit. Do it now.

As always, if you need help with getting compliant in the first place or making sure that your efforts are sufficient and up to date, buy our HIPAA compliance library, attend our HIPAA compliance seminars, and/or call us toll free at 855-385-9367 to hire us to help you get HIPAA compliant as quickly, efficiently, and cost effectively as possible.