Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.

OCR HIPAA Audit Protocol and Program Performance

This opportunity is a Recovery and Reinvestment Act action
Solicitation Number: OS57605
Agency: Department of Health and Human Services
Office: Program Support Center
Location: Division of Acquisition Management
  • Print
Award Notice
June 10, 2011
MCLEAN, Virginia 22102-4898
United States
Added: Jun 20, 2011 5:05 pm
The protocol and audit program performance requested under this contract shall assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by ARRA. The audits shall be conducted through a contracted firm(s) under the guidance of HHS staff.

After developing the audit protocol the contractor will be required to meet entities and perform the following audit activities:

Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements

After each site visit the contractor must submit an audit report. Audit reports consist of the following information:

a timeline and methodology of the audit; best practices noted; raw data collection materials such as completed checklists and interview notes; a certification indicating the audit is complete. The report must include specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan. The report must include recommendations to the COTR regarding continued need for corrective action, if any, and description of future oversight recommendations. Final Reports shall include, at minimum:
• Identification and description of the audited entity: Include, full name, address, EIN, contact person.
• Methods used to conduct the audit
• For each finding:
o Condition: the defect or noncompliant status observed, and evidence of each
o Criteria: a clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation
o Cause: The reason that the condition exists, along with identification of supporting documentation used
o Effect: the risk or noncompliant status that results from the finding
o Recommendations for addressing each finding
o Entity corrective actions taken, if any
• Acknowledgement of any best practice(s) or success(es).
• Overall conclusion paragraph

The nature of this work makes it impossible to anticipate the level of effort needed for each audit. The government anticipates completing 150 audits of entities varying in size and scope. The first part of this requirement which consists of developing the audit protocols is firm fixed price. The second portion of the requirement is also firm fixed price however due to vary nature each conducting each audit, the implementation portion of this requirement cannot be defined in manner to enable a firm fixed price methodology.

Parklawn Building Room 5-101
5600 Fishers Lane
Rockville, Maryland 20857
Gabriel Wright
Phone: 3014432475