OCR Releases Protocol for HITECH-Mandated Audits

OCR Releases Protocol for HITECH-Mandated Audits

The Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009, requires HHS to periodically audit covered entities and business associates for compliance with applicable provisions of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.  On June 26, 2012, OCR released the protocol that will be used to perform the audits required by HITECH.  The protocol addresses seven aspects of the Privacy Rule and three aspects of the Security Rule.

Privacy Rule Security Rule
Notices of privacy practices Administrative Safeguards
Right to request privacy protection for PHI Physical Safeguards
Access to PHI Technical Safeguards
Administrative requirements  
Uses and disclosures of PHI  
Amendment of PHI  
Accountings of disclosures  


The protocol also covers the requirements of the Breach Notification Rule.  In all, the protocol establishes 77 performance criteria and related audit procedures under the Security Rule and 88 performance criteria and related audit procedures under the Privacy and Breach Notification Rules. For example, one audit procedure under the Privacy Rule requires auditors to “inquire of management as to whether the entity maintains a directory of individuals in its facility” and “obtain and review a directory of individuals in the entity’s facility and evaluate the content in relation to the relative specified criteria to determine the disclosure and purpose of such information is appropriate.”

OCR has acknowledged that the precise combination of criteria and procedures applicable to a covered entity or business associate may vary based on the type of entity being audited. The full protocol is available on OCR’s website at http://ocrnotifications.hhs.gov/hipaa.html.

Today’s post was contributed by Gina Kastel and  Eric Marshall.

Print Friendly

Speak Your Mind