eHealth

OCR Releases HIPAA Privacy and Security Audit Protocol

David Harlow
David Harlow
2 Min Read

Having completed an initial 20 HIPAA privacy and security compliance audits since last fall, and with 130 additional audits in the pipeline, OCR has just released its HIPAA privacy and security audit protocol, together with information about the audit pilot program.

Having completed an initial 20 HIPAA privacy and security compliance audits since last fall, and with 130 additional audits in the pipeline, OCR has just released its HIPAA privacy and security audit protocol, together with information about the audit pilot program.  As always, information like this is extremely valuable to the regulated community.  Covered entities and business associates should avail themselves of the information contained in the audit protocol and related materials so that they may prepare themselves for the eventuality of an audit or investigation — whether as part of the current audit plan or otherwise — and focus their compliance efforts.

Audit_timeline

From the OCR website: 

The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

  • The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
  • The protocol covers requirements for the Breach Notification Rule.

TAGGED:
Share This Article
By David Harlow
Follow:
DAVID HARLOW is Principal of The Harlow Group LLC, a health care law and consulting firm based in the Hub of the Universe, Boston, MA. His thirty years’ experience in the public and private sectors affords him a unique perspective on legal, policy and business issues facing the health care community. David is adept at assisting clients in developing new paradigms for their business organizations, relationships and processes so as to maximize the realization of organizational goals in a highly regulated environment, in realms ranging from health data privacy and security to digital health strategy to physician-hospital relationships to the avoidance of fraud and abuse. He's been called "an expert on HIPAA and other health-related law issues [who] knows more than virtually anyone on those topics.” (Forbes.com.) His award-winning blog, HealthBlawg, is highly regarded in both the legal and health policy blogging worlds. David is a charter member of the external Advisory Board of the Mayo Clinic Social Media Network and has served as the Public Policy Chair of the Society for Participatory Medicine, on the Health Law Section Council of the Massachusetts Bar Association and on the Advisory Board of FierceHealthIT. He speaks regularly before health care and legal industry groups on business, policy and legal matters. You should follow him on Twitter.

Stay Connected

Latest News

The Clinical and Interpersonal Skills That Define Excellence in Patient-Centered Care
Health
The Advanced Nursing Credentials That Open Doors to Leadership Roles
The Advanced Nursing Credentials That Open Doors to Leadership Roles
Nursing
The Advanced Practice Nursing Roles Worth Knowing About Before You Specialize
The Advanced Practice Nursing Roles Worth Knowing About Before You Specialize
Nursing
Language Access in Healthcare: What Hospitals Still Get Wrong in 2026
Hospital Administration Technology

You Might also Like