OCR Releases Audit Protocol

OCR Releases Audit Protocol

Want to know what the OCR audits will look like? OCR has let us know.

The HIPAA privacy and security enforcer has released its audit protocol. OCR breaks down 77 areas for which it will be reviewed during its initial phase of audits. OCR, per HITECH, is required to audit covered entities and business associates for HIPAA compliance. It has audited 20 in its test phase and plans to audit 95 more by the end of 2012.

"OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits," according to the OCR website. "The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review."

The audit protocol covers:

  • Notice of privacy practices for PHI
  • Rights to request privacy protection for PHI
  • Access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures
  • Security Rule requirements for administrative, physical, and technical safeguards
  • Breach Notification Rule requirements