OCR reveals HIPAA audit protocol

The U.S. Department of Health & Human Services' Office for Civil Rights (OCR) has made public its long-awaited HIPAA audit protocol, posting it on its website June 26.  

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended the Health Insurance Portability and Accountability Act in 2009, required OCR to conduct a pilot audit program to assess HIPAA compliance. OCR established the audit protocol, which is searchable and organized around modules, to conduct the audits. The first 20 preliminary audits have been conducted; in all, 115 covered entities will be audited in the pilot program, which will end in December 2012.

The audit protocol covers the following requirements:

  • The Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The Security Rule requirements for administrative, physical, and technical safeguards.
  • The requirements for the Breach Notification Rule.

The goal of the audits is to analyze trends, improve overall compliance and identify best practices, according to Linda Sanches, senior advisor for health information privacy at OCR, reporting on the audits at an OCR/NIST conference earlier this month. OCR does not plan to penalize auditees found in violation, though it will do so if it uncovers "serious compliance issues," she said.

Sanches reported that the preliminary audits have uncovered many violations of HIPAA, with the most problems (65 percent) in keeping electronic patient data secure.

"There are more struggles and more individual requirements [in the security rule]," she noted. Two of the biggest areas of weakness found were in entities' failure to conduct risk analysis to identify vulnerabilities in their security programs, and to manage any risks found.

Conducting a risk analysis is also a requirement of the Meaningful Use incentive program.  

"It is no longer acceptable to be noncompliant," warned Leon Rodriguez, director of OCR, who also spoke at the conference. 

Sanches recommended that covered entities use the protocol to conduct self-audits of their compliance with HIPAA. She also recommended that they find, track and account for all patient data, including those on new devices, and use the guidance on OCR's website.

OCR has been in the hot seat for lax enforcement of HIPAA. The Government Accountability Office (GAO) just chastised OCR for not yet establishing plans for continuing the audit program after this pilot and recommended that it improve guidance and oversight of HIPAA compliance.

To learn more:
- here's the protocol and the website
- view the webcast of the conference (day 2, part 1)

Read more on