Giant accounting and consulting firm KPMG in 2011 was contracted by the Office for Civil Rights (OCR) to conduct an initial round of up to 150 HIPAA security audits as mandated by the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009.

HIPAA (Health Insurance Portability and Accountability Act) requires covered entities to safeguard all private health information (PHI) from unwarranted disclosure. KPMG so far has visited 20 covered entities, ranging from a single physician's office to acute managed care facilities, during the initial part of its OCR audit contract (OCR is an agency of the Health and Human Services Department of the U.S. government).

In a recent interview, Michael Ebert, who heads the HIPAA audit program for KPMG, shared some preliminary guidance and findings, and his first advice was for companies handling PHI to conduct a "risk analysis," which he says is the "biggest failing" he's discovered so far.

As for the most common problem, according to Ebert: “People need to understand that safeguarding PHI goes beyond electronic. It goes to paper and oral. So how you set up your ERs, how you set up your consultation area” matter.

“We did a review at a large national pharmacy chain and they didn’t have consultation areas that were private enough in a good 20 percent of their stores,” he said. “It was just the nature of the design. They had not updated their design in some of their stores. And they are doing that now. That was an interesting finding. They were like, ‘Oh, we missed that.’”

KPMG will now audit as many as 95 more covered entities, who will receive copies of their audits and be allowed to comment on them before they are forwarded to OCR. Full findings — and subsequent guidance — will be delayed until well after that process is completed.