Nashville TN (PRWEB) September 07, 2011

Clearwater Compliance, a leading HIPAA-HITECH consultancy, today announced the publication of a White Paper entitled “The 2012 HIPAA Audits:Will the Past Predict the Future?” The White Paper is based on the premise that understanding the possible impact of the upcoming privacy and security audits will lead organizations to better prepare for audits and, more importantly, assure their compliance with the regulations.

Section 13411 of the HITECH Act requires the Secretary of Health and Human Services (HHS) to “provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.” That means compliance with the HIPAA Privacy and Security Final Rules.

On June 10, 2011, the Office for Civil Rights (OCR) awarded Virginia-based audit firm KPMG a $9.2 million contract related to the development of an audit program to be undertaken on 150 covered entities (CEs) in 2012. This White Paper from Clearwater Compliance reviews agency audit and other enforcement activities from 2003 to 2011, identifies what is known about the 2012 audits, extracts some insights from the historic agency audit and enforcement activities, and draws some conclusions and possible ramifications resulting from the upcoming KPMG audits. This White Paper also offers commentary on best practices for covered entities heading into the 2012 audits and recommends several practical, actionable initiatives that organizations should consider to prepare for the audits in order to become and/or remain compliant with HIPAA and HITECH.

Among the principal findings of the White Paper, is the fact that both CMS and HHS-OIG presented previous audit reports with analysis that went far beyond the black letter of the Privacy Rule and the Security Rule. Those audits included reference to and reliance upon documents outside the black letter of the Rules, treating those documents with as much weight and authority as if the documents were akin to regulations.

“This beyond-black-letter-law methodology can be said to be on the far side of activism and into the highest category of ‘hypervigilence’,” said Bob Chaput, founder and CEO of Clearwater Compliance. “While we know the HIPAA Security Final Rule is based on the National Institute of Standards and Technology framework, seemingly deep references there and into Institute of Electrical and Electronics Engineers (IEEE) standards to cite ‘Ineffective Wireless Network Encryption’ in an audit report seem to be a surprising shift to specificity beyond the regulations.”

This White Paper is the first in a series addressing the increasingly complex business risk management issue of HIPAA-HITECH compliance. Several topics have already been identified and research work is underway. Clearwater uses a multidisciplinary approach to researching and writing these papers to consider what HIPAA and HITECH privacy, security and breach notification regulations mean to the healthcare industry, patients and the future of healthcare delivery. Clearwater conducts ongoing research, offers frequent educational live web events, Blue Ribbon™ Panel discussions, resources and breaking news updates on topics related to HIPAA, the HITECH Act, and the HIPAA Security Rule. This work influences product development for clients of Clearwater, aleader in consulting services and software products for HIPAA compliance in the healthcare industry.

“Importantly, based on our research and analysis, we conclude the paper with specific, tangible actions that Covered Entities (and Business Associates) should consider taking immediately to prepare for the audits,” Chaput added. The paper may be found at:

Clearwater Compliance

Clearwater Compliance helps covered entities, business associates and their subcontractors meet stringent HIPAA-HITECH Privacy, Security and Data Breach Notification requirements. Clearwater offers frequent webinars on topics related to HIPAA, the HITECH Act, and the HIPAA Security Rule. Please visit to register for a webinar, access Clearwater HIPAA HITECH Compliance resource library or sign up for newsletters. Clearwater Compliance is active in national efforts to safeguard Protected Health Information and is a premium co-sponsor of the American National Standards Institute (ANSI) Protected Health Information (PHI) Project found at

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.