Protocol provides clues regarding areas of focus for ongoing
HIPAA audits assessing compliance with the Privacy, Security, and
Breach Notification Rules.
The Office for Civil Rights (OCR) at the Department of Health
and Human Services recently published its audit protocol for
assessing compliance with the Privacy, Security, and Breach
Notification Rules under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), as amended by the Health
Information Technology for Economic and Clinical Health Act
(HITECH). The audit protocol can be accessed
here. As required under HITECH, OCR has increased its HIPAA
enforcement efforts by implementing a new audit program.
Employer-sponsored group health plans are among the HIPAA-covered
entities that may be selected for audit by OCR in the initial
stages of its audit program.
Areas Covered by Audit Protocol
The protocol was developed in conjunction with the audit of the
first 20 covered entities selected for OCR's audit program,
including health plans, doctor groups, and hospitals. OCR plans to
conduct a total of 115 audits of covered entities by the end of
2012, and it is expected that the protocol will be refined and
clarified as additional audits are completed.
The protocol covers 165 areas of performance evaluation,
including 88 related to the Privacy Rule and Breach Notification
Rule and 77 related to the Security Rule. With respect to the
Privacy Rule, the audit protocol addresses the following specific
Notice of privacy practices
Rights to request privacy protection
Access of individuals to protected health information
Uses and disclosures of protected health information
Amendment of protected health information
Accounting of disclosures
The protocol also shows that the OCR audits are focused on
technical safeguards under the Security Rule, such as the use of
encryption technology, and requirements related to the Breach
Notification Rule, including risk assessment processes and the
content and timeliness of notifications.
OCR Senior Advisor David Mayer stated recently that money has
been appropriated for the audit program to continue in 2013 and
2014, and he expects it will be expanded to include business
associates some time after the new HIPAA omnibus regulations are
released this summer.
While the HIPAA audit protocol does not contain any major
surprises, its publication serves as a reminder of the increased
enforcement activity in this area. We recommend that group health
plan sponsors and their business associates conduct periodic
self-audits of their HIPAA privacy policies and procedures to
ensure they are best positioned to demonstrate compliance if
confronted with an OCR audit. HIPAA training should be provided on
a regular basis to all employees with access to protected health
information, and sufficient resources should be allocated to
designated HIPAA privacy officers so that they may respond to
complaints, conduct breach investigations, and take other actions
required of them under HIPAA and HITECH.
For more information about the HIPAA services for group health
plan sponsors and their business associates offered by Morgan
Lewis's Employee Benefits and Executive Compensation Practice,
review the HIPAA Privacy Compliance Initiative brochure
Copyright 2012. Morgan, Lewis & Bockius LLP. All Rights
This article is provided as a general informational service
and it should not be construed as imparting legal advice on any
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Whether you are an employer that provides health insurance for your employees, a business in the growing healthcare industry, a hospital, or other medical provider—or you provide services to any of those entities—you need to know about changes to the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Marilyn Tavenner received bipartisan support from members of the Senate Committee on Finance in her confirmation hearing to lead the Centers for Medicare and Medicaid Services (CMS) though a full Senate vote is being held up, the president released his FY 2014 budget proposal with health care reform and specified reimbursement reductions to providers and manufacturers totaling $400 billion over 10 years sprinkled throughout it, and Department of Health and Human Services (HHS) Secretary Sebelius
The Office of Inspector General for the Department of Health and Human Services has recently issued an updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs.
On Tuesday, the North Carolina legislature has enacted into law, pending the governor's signature, a prohibition on the use of most favored nations clauses in contracts between commercial health insurers and providers.