The US Department of Health and Human Services Office of Civil Rights (“OCR”) recently released its HIPAA audit protocol.  Audits of HIPAA compliance were mandated by the 2009 Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amended many parts of HIPAA and included breach notification requirements.

The OCR conducted a number of pilot audits of compliance with privacy, security and breach notification requirements of HIPAA covered entities beginning in 2011, and will continue the test phase through December 2012 with a total of 115 such audits.

Protocol Modules

The protocol is divided into two modules: (1) Security, and (2) Privacy and Breach Notification.  The Security module contains 77 entries, covering Security Rule requirements for administrative, physical, and technical safeguards.  The Privacy and Breach Notification module contains 88 entries, and covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures, as well as Breach Notification Rule requirements.

Lax Enforcement No More

At a recent OCR/National Institute of Standards and Technology (NIST) HIPAA Security Conference, one OCR official stated that “It is no longer acceptable to be noncompliant.”  Another official noted that OCR was finding significant issues with security of electronic data, and that many covered entities were failing to conduct risk assessments, and failing to adequately address identified risks.

In the past, OCR had been accused of lax or non-existent enforcement of HIPAA and HITECH violations.  However, recent record-breaking fines of over $1M against several providers which had committed HIPAA breaches, combined with the full audit program being implemented along with the audit protocols, suggest that the OCR is ramping up its enforcement efforts in a big way.  Covered entities will need to take strong actions to comply with the numerous requirements of the laws.

Steps to Take to Comply

The first step toward increased compliance is to conduct a self-audit.  The new audit protocols lay out exactly what the OCR will be looking at in an audit, and will help covered entities identify areas of weakness.  This audit can be conducted by the covered entity itself, or with the guidance of legal counsel or consultants familiar with HIPAA and HITECH requirements.  Once areas are identified, the provider should prioritize by levels of importance and risk, and begin to implement new or revised policies and procedures to address the issues.