As we previously discussed, the Office of Civil Rights (“OCR”) continues to push forward with the HIPAA audits required by the HITECH Act.  To this end, the OCR recently posted the protocol which is used to conduct the HIPAA audits on its website. 

The HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To implement this mandate, OCR piloted a program to perform audits of covered entities to assess privacy and security compliance.   This HIPAA audit program analyzes processes, controls, and policies of selected covered entities (e.g., health plans, health care clearinghouses, and certain health care providers) as well as the requirements to be assessed through these performance audits. The audit protocol is organized around “modules,” as follows:

  • The first audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for Protected Health Information (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The second protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
  • The third protocol covers requirements for the Breach Notification Rule.

Notably, the combination of these multiple requirements may vary based on the type of covered entity selected for review.  Healthcare providers, health plans, and business associates, all who could be affected by the HIPAA audits, need to not only be aware of the OCR’s audit activities, but also HHS’s efforts to increase enforcement of HIPAA.