HIPAA Compliance Audit Protocols Posted Online

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently posted on its website the protocol it is using for its Health Insurance Portability and Accountability Act (HIPAA) compliance audits. A report by the Ropes & Gray LLP law firm recommends that covered entities and business associates use the information in the protocols to review their current practices.

The OCR’s HIPAA audit program started in late 2011. It assesses covered entities’ compliance with HIPPA privacy and security rules. According to the Ropes & Gray report, the new program “signals a major shift in HIPAA enforcement” away from the “largely reactive and complaint-based enforcement activity of the past” and toward a “new era of proactive oversight and enforcement.”

The OCR started a pilot program in November 2011 to perform the audits, which were mandated by the HITECH Act, part of the American Recovery and Reinvestment Act of 2009. The pilot phase of the program will be completed by December 2012.

The protocol establishes 77 performance criteria for the security rule and 88 performance criteria for the privacy and breach-notification rule. Auditors may use a combination of procedures to assess each performance criterion, including interviewing management, collecting and reviewing policies, procedures and detailed supporting documentation, and directly observing an entity’s practices.

Although the OCR states that the audits are “primarily a compliance improvement activity,” with aggregated data used to help it “better understand compliance efforts,” it also said that it may initiate a compliance review if an audit report indicates a “serious compliance issue.”

WeComply’s 40-minute online HIPAA training course teaches HR managers and employees the basic principles of HIPAA privacy laws.

Categories: Healthcare
Tags: HIPAA