• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

OCR Publishes HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol

July 9, 2012 Enforcement, Health IT and HITECH, HIPAA Law, Privacy, Security 1 Comment

July 9, 2012.  Late in June, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published its HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol.  Here is OCR’s description of the program, which outlines 77 audit procedures for the HIPAA Security Rule and 88 audit procedures for the HIPAA Privacy and HITECH Act Breach Notification Rules:

“The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate.  OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits.  The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.  The combination of these multiple requirements may vary based on the type of covered entity selected for review.

  • The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI [protected health information], (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
  • The protocol covers requirements for the Breach Notification Rule.”

The OCR Audit Protocol Web site link highlighted above outlines each of the audit procedures that starts with the phrase “inquire of management,” and permits keyword search. As an example, we identify below the first audit procedure under the Security Rule, whose key activity is:  conduct risk assessment:

Section: 45 CFR 164.308

Established Performance Criteria:  45 CFR 164.308(a)(1).  Security Management Process (45 CFR 164.308(a)(1)(ii)(a)–Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Key Activity:  Conduct Risk Assessment

Audit Procedures:  Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI [electronic PHI].  Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.  Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and [whether the it] has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis.  Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

Implementation Specification:  Required.

HIPAA.com recommends that covered entities pay close attention to the wording of OCR’s audit procedures as they pertain to their documented and implemented policies and procedures for successfully passing a compliance audit and avoiding potentially costly and time consuming OCR enforcement action.

Tags: accounting of disclosuresAdministrative Safeguardamendmentaudit proceduresAudit ProtocolavailabilityBreach Notificationconduct risk assessmentconfidentialitycovered entityDEPARTMENT OF HEALTH AND HUMAN SERVICESEnforcementePHIestablished performance criteriaHHSHIPAAHIPAA PRIVACY RULEHIPAA Security RuleHITECH ActHITECH Act Breach Notification Ruleinquire of managementintegritykey activitykeyword searchmandatemodulesnotice of privacy practiceOCROffice for Civil Rightsperformance auditsPHIphysical safeguardpolicies and proceduresPrivacyprotected health informationSecurityTechnical Safeguarduse and disclosure
1 Comment
Share
0

You also might be interested in

Privacy and Security Framework: Correction Principle and FAQs

Jan 19, 2009

U.S. Department of Health and Human Services, Office for Civil[...]

Final Privacy Rule

Jan 19, 2009

DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary[...]

President Obama to Sign ARRA’s HITECH provisions Tuesday, February 17, 2009, in Denver, CO

Feb 17, 2009

The Senate joined the House on Friday evening, February 13,[...]

1 Comment

Leave your reply.
  • SHERRY VELOZ/ VERONICA VELOZ
    · Reply

    May 26, 2015 at 6:19 PM

    Please contact our Hippa was voilated Friday 5/22/2015 I reported nothing was done I need to know what action can I take due to Managers and employees were talking and dicussing my medical and personal file in the office 5 employees call to see if I called up there and I was shock due to that is my private business I called the office in California due to I have no trust at that office I need it to be investigated. I have proof and they have cameras the times was between 8 -10:30 talking about my personal file. the Managers was over heard by the employees that why I was called and text at the time the unfairness due to HIPPA LAWS

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next