On June 26th, the Office for Civil Rights (OCR), the federal agency that enforces the privacy and security regulations under HIPAA, published the protocol it uses to conduct the audits required by the 2009 HITECH Act. According to OCR, the protocol is designed to analyze the "processes, controls, and policies" of covered entities in an effort to measure compliance under the HIPAA mandate. OCR set out three different areas that will be analyzed under this audit protocol: 1) privacy; 2) security; and 3) breach notification.
- Privacy: includes audit procedures pursuant to notice of privacy practices, right to request privacy protection, protected health information ("PHI") access by individuals, administrative requirements, uses of PHI, amendments to PHI, and disclosures
- Security: includes procedures used to measure administrative, physical, and technical safeguards used to secure PHI
- Breach Notification: procedures for understanding an organizations preparedness to handle a breach event in a manner compliant with the requirements under the law.
The OCR included in its release of the protocol a handy searchable table you can use to find out exactly what kinds of information the auditors will be looking for under any specific requirement. Examples of the information reviewed by the OCR auditors include: review of ePHI handling policies for employees and evaluation of the processes in place to identify critical applications, data, and processing of the data. This webpage is a definite candidate for bookmarking by every HIPAA compliance professional working in the field of PHI security and privacy.