Protocol for HIPAA Audits Released

OCR Establishes Requirements for HIPAA Performance Audits

The Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) and oversees health information privacy in the Department of Health and Human Services (HSS). The HITECH Act amended HIPAA and requires the OCR to perform periodic audits of covered entities and business associates. The audits are to ensure the compliance with the HIPAA Privacy and Security Rules and Breach Notification standards. The new protocol is updated from the ones used during their pilot program.

The OCR has now established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The protocol addresses 165 performance criteria, 77 of those focus exclusively on compliance of the Security Rule, and 88 in combination that deal with requirements of the Breach Notification and Privacy Rule. The audit Protocol has been posted on their web site and it covers:

  • Privacy Rule requirements for notice of privacy practices for PHI, rights to request privacy protection for PHI, access of individuals to PHI, administrative requirements, uses and disclosures of PHI, amendment of PHI, and accounting of disclosures.
  • Security Rule requirements for administrative, physical, and technical safeguards
  • requirements for the Breach Notification Rule

Current audits show 65% of the HIPAA violations are in keeping electronic patient data secure. So who will be audited? Michelle McNickle reported on the 3 hot buttons that can trigger an OCR audit for Healthcare IT News.

  1. Prior breaches involving 500 or more patient records.
  2. Complaints from patients or employees.
  3. Prior visits from OCR.

The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) o-hosted the 5th annual conference Safeguarding Health Information: Building Assurance through HIPAA Security earlier this month. Speaker Linda Sanches, senior advisor for health information privacy at OCR, recomended using the new protocol and conducting self audits.