The Department of Health and Human Services (HHS), Office of Civil Rights (OCR), has recently released its Audit Program Protocol for the HIPAA Privacy and Security Audit Program.  These protocols can act as a set of rules for HIPAA audits.  It is recommended that covered entities use the Audit Procedures section of the protocol requirements to know what HIPAA auditors will ask about.  The protocol details 165 areas of performance evaluation… 77 of which are dedicated to the HIPAA Security Rule and 88 which are dedicated to the HIPAA Privacy and Breach Notification Rules.

HIPAA Audit Pilot Program

The Federal Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the Privacy and Security Rules and Breach Notification standards of the Health Insurance Portability and Accountability Act (HIPAA).  To implement this mandate, OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance.  OCR will use the HIPAA Audit Pilot Program to assess compliance efforts by a range of covered entities.  Audits conducted during the pilot phase began November 2011 and are expected to conclude in December 2012.

Every covered entity and business associate is eligible for an audit.  Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry.  OCR is responsible for selection of the entities that will be audited.  OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions and health care clearinghouses may all be considered for an audit.  Business associates will be included in future audits.

Note that while HIPAA specifically does not cover “employers,” employers may have responsibilities under HIPAA in connection with a group health plan that they sponsor.  A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity; however, other provisions of HIPAA may still apply to these small employer plans. 

HIPAA Audit Program Protocols Released

On June 26, 2012, OCR released its comprehensive Audit Program Protocol that contains the requirements to be assessed through the HIPAA Privacy and Security Audit program.  The entire Audit Protocol is organized around modules, representing separate elements of privacy, security and breach notification.  The combination of these multiple requirements may vary based on the type of covered entity selected for review.

1.  The Audit Protocol covers HIPAA Privacy Rule requirements for: 

  • Notice of privacy practices for protected health information (PHI)
  • Rights to request privacy protection for PHI 
  • Access of individuals to PHI 
  • Administrative requirements 
  • Uses and disclosures of PHI 
  • Amendment of PHI
  • Accounting of disclosures

2.  The Protocol covers HIPAA Security Rule requirements for administrative, physical and technical safeguards.

3.  The Protocol covers requirements for the Breach Notification Rule.

Is Your Organization a Covered Entity Under HIPAA? 

Not sure if your business is a covered entity under HIPAA rules?  Download this guide… Covered Entity Charts… from the Centers for Medicare & Medicaid Services.  These charts can be used to determine if a person, business or government agency is a covered entity.  Go to the chart(s) that apply to the person, business or agency and answer the questions, starting at the upper left-hand side of the chart(s).  Also check out this article from the Health Resources and Services Administration... What is a "covered entity" under HIPAA?