OCR releases audit protocols for HIPAA Security, Privacy and Breaches

The Department of Health & Human Services (HHS) is required under Section 13411 of the HITECH Act to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, HHS’ Office for Civil Rights (responsible for enforcing the HIPAA Privacy and Security Rules) piloted an audit program of covered entities to assess privacy and security compliance. The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR has now published audit protocols for HIPAA Security and HIPAA Privacy and Breach. The protocols may be found at: http://ocrnotifications.hhs.gov/hipaa.html. The audit protocols cover Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. The protocols also cover Security Rule requirements for administrative, physical, and technical safeguards. In addition, the protocols cover requirements for the Breach Notification Rule. Covered entities and business associates should review the OCR protocols and self-assess their data privacy and security program against them to better assess their own HIPAA compliance and implement enhancements or corrective actions that may be necessary to improve their programs.



Subscribe and stay updated
Receive our latest blog posts by email.
Ramy Fayed

About Ramy Fayed

Ramy Fayed is a partner in the Health Care Practice Group in Dentons US LLP's Washington, D.C. office. He has been recognized by Super Lawyers, Nightingale's Healthcare News, and Best Lawyers as one of the leading health care lawyers in the US. In his practice, he advises a broad range of health care organizations, including hospitals, academic medical centers and manufacturers of pharmaceuticals and medical devices on compliance with the federal health care program anti-kickback law, the Stark law, the False Claims Act, and Medicare and Medicaid compliance and reimbursement issues.

Full bio