Skip Navigation

Protection of Information Created or Obtained Through the HIPAA Audit Program


The American Recovery and Reinvestment Act of 2009 (ARRA) requires HHS to audit covered entity and business associate compliance with the HIPAA privacy and security standards and the breach notification rule.  To effectively implement this statutory mandate, OCR has engaged the services of a professional public accounting firm (KPMG LLP) to conduct performance audits, using generally accepted government auditing standards.  Please recognize that KPMG LLP is requesting and reviewing documents solely as a contractor to OCR, on its behalf and pursuant to its audit authority.  


The OCR has implemented contractual restrictions to prevent the misuse or disclosure of information gathered by the contractors throughout the audit process.  Under its contract with OCR, KPMG agreed to the following protections for the information it obtains or creates pursuant to the conduct of performance audits on behalf of OCR:


  • Information made available to the contractor by the Government for the performance or administration of this effort shall be used only for those purposes and shall not be used in any other way without the written agreement of the HHS contracting officer.


  • The Contractor agreed to assume responsibility for protecting the confidentiality of Government records, which are not public information. 


  • The Contractor and/or Contractor personnel shall not divulge or release data or information developed or obtained in performance of this effort, including until made public by the Government, except to authorized Government personnel or upon written approval of the Contracting Officer.  Such data and information encompass results or findings of work, data base files, analyses, draft or final papers and reports.


  • The Contractor shall not use, disclose, or reproduce proprietary data that bears a restrictive legend, other than as required in the performance of this effort. 


Under the Freedom of Information Act, OCR may be required to release audit notification letters and other information about these audits upon request by the public.  In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy.