OCR Releases Protocol for HIPAA Privacy, Security and Breach Notification Audits


On June 26, 2012, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) posted on its website the protocol it developed to serve as a guideline for the recently-implemented Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) compliance audits. Mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, these audits are conducted as part of the new OCR HIPAA Audit program (the “Audit program”). Launched in late 2011, the Audit program is intended to assess covered entities’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The Audit program signals a major shift in HIPAA enforcement, ushering in a new era of proactive oversight and enforcement, and a departure from the largely reactive and complaint-based enforcement activity of the past.

On June 10, 2011, HHS awarded KPMG a $9.2 million contract to develop a comprehensive and focused audit protocol for the Audit program and to conduct the audits on behalf of OCR. For the pilot of the Audit program, OCR initially aimed to audit 150 entities by the end of 2012, but has since revised its estimate and decreased the total number of audits to 115. OCR implemented the Audit program pilot in three steps. First, OCR and KPMG worked to develop an initial audit protocol in late 2011, as well as develop the sample of audit targets. OCR and KPMG then used an initial test phase to refine the audit protocol by auditing 20 covered entities from late 2011 to mid-2012. From there, OCR and KPMG stated that they planned to refine the audit protocol, and move on to audit the remaining 95 covered entities. The long-awaited audit protocol provides insights into what HIPAA requirements the auditors scrutinize during these audits, and how they ultimately assess compliance with such requirements.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.