Physicians
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

HIPAA Auditor Involved in Own Data Breach

Dom Nicastro, for HealthLeaders Media, August 8, 2011

Asked if OCR considered the KPMG involvement on this 2010 breach at any level when considering it for the HIPAA audit contract, McAndrew only said, “the award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.” 

The process to hire KPMG involved a Department of Health and Human Services (HHS) panel that reviewed and ranked all technical proposals and qualifications by “predetermined evaluation criteria,” McAndrew said.

“Evaluation criteria in the solicitation included responsiveness to the audit design requirements in the HHS statement of work, as well as past performance on other compliance audit programs,” McAndrew said. “Negotiations were conducted, and an offer was made.”

KPMG LLP is an audit, tax, and advisory firm and is the United States member firm of KPMG International, according to its website. KPMG International’s member firms have 137,000 professionals, including more than 7,600 partners, in 144 countries.


Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
1 | 2 | 3

Comments are moderated. Please be patient.

3 comments on "HIPAA Auditor Involved in Own Data Breach"


Richard Fowler (8/17/2011 at 9:04 AM)
In response to John's comment - You may have heard an auditor say "trust but verify" when asking to see proof of a transaction or process. The same is true of the auditors themselves [INVALID] they need to show that their testing or attestations were performed, and so there needs to be some record of what was reviewed, what the tests and samples were, and what their analysis revealed. That being said, KPMG should have known not to store data on an unencrypted flash drive. And it's a huge security risk that the computers enabled a download to a flash drive in the first place [INVALID] I wonder if KPMG will note that in their audit opinion.

Deborah C Peel. MD (8/10/2011 at 5:37 PM)
OCR's contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive. First KPMG absolved itself of doing any harm: ? "KPMG believes that it is possible that the patient data was [INVALID]d from the flash drive prior to the time when it was lost," ? "KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person." Then KPMG prescribed its own remedy: ? "KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives." Why didn't OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits. This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches. Time for Congressional oversight?

John Moehrke (8/9/2011 at 1:54 PM)
What on earth was the reason that the HIPAA Auditor gave for why they needed copies of patient records? I can't imagine any HIPAA regulation item that would need to be audited by taking a copy of patient records. This sounds like a rogue auditor, or a badly broken process.