Office for Civil Rights Publishes HIPAA Audit Protocol

by | Jul 26, 2012

The passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 updated HIPAA, and as such it obliged the Department of Health & Human Services’ Office for Civil Rights (OCR) to complete a program of compliance audits to make the new rules had been put into action.

After an initial phase of 20 preliminary pilot audits the OCR has come up with an audit protocol which will be used to review compliance at a total of 155 HIPAA-covered entities, with the audits due to finish in December 2012.

Since any group can be audited – not just large healthcare suppliers – it is vital that all organizations check their procedures and revised them as required to take the new Security Rule requirements into account.

The OCR has now released the long awaited results of the audit program on its website detailing the specific aspects of HIPAA, the Privacy Rule, Security Rule and Breach Notification Rules that will be assessed.

There are three main parts of the legislation which are being specifically looked at under the audit protocol; adoption of the Privacy Rule, Security Rule and compliance with the Breach Notification Rule.

Organizations will be audited on policies and procedures that are included under the Privacy Rule notice of privacy practices for Protected Health Information, patient rights to request privacy protection for PHI, access rights of persons to their own PHI, proper use and disclosure of PHI, amendments to PHI, accounting of disclosures and all HIPAA Privacy Rule administrative requirements.

According to the Security Rule, HIPAA-covered bodies must use the appropriate administrative, physical and technical safeguards to protect PHI and evidence of these safeguards having been put into place will also be scrutinized. Policies and procedures will also be reviewed to make sure they adhere with the recent changes to the Breach Notification Rules.

The purpose of the audits is not to punish groups that have failed to put into place the necessary changes, but to get a general idea of compliance throughout the healthcare sector. The data gathered in the audits can be used to analyze trends and determine areas where the legislation is proving difficult to put in place. Obstacles can be identified and steps taken to ensure the legislation has the desired result.

Financial penalties are not predicted to be applied for non-compliance issues discovered in the audits, although action plans are likely to be issued to organizations found not to have made the required amendments. Any serious security problems found could still result in a massive fine.

It has become obvious that while many healthcare organizations have adapted the legislative amendments and updated their policies and procedures, a significant amount have not taken sufficient steps to protect the ePHi of their patients and policy holders. The OCR says that the greatest issue affecting the sector is ensuring ePHi is kept safe and secure. 65% of organizations found to have breached HIPAA regulations did so because of inadequate processes to protect electronic health records.

The main Security Rule issue found by the OCR was a failure to complete a thorough risk analysis of their IT systems to identify security holes and weaknesses. Even when issues were identified, many healthcare organizations were unsure how to properly manage the risks they found.

Performing risk assessments is now mandatory, not only under the Security Rule but also under the Meaningful Use program. As OCR Director, Leon Rodriguez commented at the OCR/NIST conference this month, “It is no longer acceptable to be non compliant”.

With the government having recently questioned the success of OCR enforcement of HIPAA legislation, future audit programs are likely to see non-compliance vehemently enforced and breaches are likely to result in massive financial penalties being applied.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy