Throughout the months of November and December 2011, OCR and KPMG notified 20 covered entities that they would be subject to an audit of their HIPAA Privacy and Security Rule and Breach Notification compliance activities. The notification letter included a request for documents and initial information to establish a date for KPMG team members to meet at the covered entity on-site. For the initial 20 audits, on-site field work began in January 2012 and was completed in March 2012. As the next wave of audits are conducted, OCR will post additional information.
The following is a list of the types of entities that received notification letters:
Type of Entity |
Entity Location |
OCR Region |
---|---|---|
Medicaid Plan |
- |
Region I |
Allopathic & Osteopathic Physicians |
NY |
Region II |
Hospital |
NJ |
Region II |
Group Health Plan |
PA |
Region III |
Group Health Plan |
DC |
Region III |
Healthcare Clearinghouse |
- |
Region III |
Nursing & Custodial Care Facilities |
MD |
Region III |
Pharmacy |
PA |
Region III |
SCHIP |
- |
Region III |
Allopathic & Osteopathic Physicians |
NC |
Region IV |
Allopathic & Osteopathic Physicians |
AL |
Region IV |
Hospital |
KY |
Region IV |
Group Health Plan |
TN |
Region IV |
Healthcare Clearinghouse |
OK |
Region VI |
Health Insurance Issuer |
NM |
Region VI |
Hospital |
TX |
Region VI |
Health Insurance Issuer |
MO |
Region VII |
Dentist |
CO |
Region VIII |
Health Insurance Issuer |
ND |
Region VIII |
Laboratory |
SD |
Region VIII |