AWARD
R -- OCR HIPAA Audit Protocol and Program Performance
- Notice Date
- 6/20/2011
- Notice Type
- Award Notice
- Contracting Office
- Department of Health and Human Services, Program Support Center, Division of Acquisition Management, Parklawn Building Room 5-101, 5600 Fishers Lane, Rockville, Maryland, 20857
- ZIP Code
- 20857
- Solicitation Number
- OS57605
- Archive Date
- 6/25/2011
- Point of Contact
- Gabriel Wright, Phone: 3014432475
- E-Mail Address
-
gabriel.wright@psc.hhs.gov
(gabriel.wright@psc.hhs.gov)
- Small Business Set-Aside
- N/A
- Award Number
- GS23F8127H_HHSP233201100252G
- Award Date
- 6/10/2011
- Awardee
- KPMG, 1676 INTERNATIONAL DR, MCLEAN, Virginia 22102-4898, United States
- Award Amount
- 9179011
- Description
- The protocol and audit program performance requested under this contract shall assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by ARRA. The audits shall be conducted through a contracted firm(s) under the guidance of HHS staff. After developing the audit protocol the contractor will be required to meet entities and perform the following audit activities: Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements After each site visit the contractor must submit an audit report. Audit reports consist of the following information: a timeline and methodology of the audit; best practices noted; raw data collection materials such as completed checklists and interview notes; a certification indicating the audit is complete. The report must include specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan. The report must include recommendations to the COTR regarding continued need for corrective action, if any, and description of future oversight recommendations. Final Reports shall include, at minimum: • Identification and description of the audited entity: Include, full name, address, EIN, contact person. • Methods used to conduct the audit • For each finding: o Condition: the defect or noncompliant status observed, and evidence of each o Criteria: a clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation o Cause: The reason that the condition exists, along with identification of supporting documentation used o Effect: the risk or noncompliant status that results from the finding o Recommendations for addressing each finding o Entity corrective actions taken, if any • Acknowledgement of any best practice(s) or success(es). • Overall conclusion paragraph The nature of this work makes it impossible to anticipate the level of effort needed for each audit. The government anticipates completing 150 audits of entities varying in size and scope. The first part of this requirement which consists of developing the audit protocols is firm fixed price. The second portion of the requirement is also firm fixed price however due to vary nature each conducting each audit, the implementation portion of this requirement cannot be defined in manner to enable a firm fixed price methodology.
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/PSC/DAM/Awards/GS23F8127H_HHSP233201100252G.html)
- Record
- SN02476823-W 20110622/110620234419-9e045aa4f7e6f8499c5b6f74d5b211e9 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |