The Office of the Inspector General (“OIG”) of the U.S. Department of Health and Human Services (“DHHS”) has announced that the first 20 of a planned 150 covered entities to be audited will be getting notices from the contractor for the DHHS Office of Civil Rights (“OCR”), KPMG, notifying them of the forthcoming audit. Apparently, no business associates are included in either the first 20 or, indeed, the first 150 planned audits.

According to the DHHS website, “Audits conducted during the pilot phase will begin November 2011 and conclude by December 2012.” The first round of 20 audits is expected to take about five months. Up to 130 other audits will follow, in the final eight months of this pilot program.

Each audit is supposed to take about 30 business days and will include onsite interviews and investigations. Covered entities will have 10 days to turn around document requests, such as for copies of policies, security incident reports, training records, and the like.

KPMG intends to give 30-90 days’ advance notice of site visits. This period, however, may well be insufficient if the covered entity is not already well down the road to full HIPAA compliance. Getting a large, complex covered entity fully compliant in 30 days would certainly be problematic. As a HIPAA compliance consultant, I could do so, but it would likely be quite draining, if not downright painful, for all concerned.