The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is responsible for enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules, including the recent amendments made by the Health Information Technology for Economic and Clinical Health Act (HITECH). OCR has begun conducting audits of covered entities, including group health plans, hospitals, laboratories, pharmacies, physicians, and dentists. Click here for a direct link to the OCR audit protocol.
The audit protocol (165 total) provides a road map for covered entities and business associates to develop a self-audit. OCR auditors will review a covered entity’s HIPAA processes, policies, and controls to ensure compliance with federal regulations. OCR developed 77 areas of accountability for the Security Rule and 88 areas of accountability for the Privacy and Breach Notification Rules.
The protocol addresses Privacy Rule requirements including:
1. Notice of privacy practices for Protected Health Information (PHI),
2. Right to request privacy protection for PHI,
3. Access of individuals to PHI,
4. Administrative requirements,
5. Uses and disclosures of PHI,
6. Amendment of PHI, and
7. Accounting of disclosures.
OCR protocol also addresses Security Rule requirements for administrative, physical, and technical safeguards, including regular training for staff, documented sanction policies, encryption of PHI, etc.
Finally, the protocol covers requirements for the Breach Notification Rule, including existence of policies and procedures to address incidents that might be deemed a breach of unsecured protected health information and timeliness of notification when a breach is deemed to occur.
OCR has completed the fieldwork on its first 20 audits. OCR expects to complete an additional 115 audits by the end of 2012. Changes to the protocol may be may after made after the HIPAA omnibus regulations are released, which is expected to be later this summer.