As part of HIPAA, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) developed a set of protocols for auditing HIPAA-covered entities. These protocols aim to assess the processes, controls, and policies related to privacy, security, and breach notification.
Understanding the HIPAA audit protocols
The OCR published HIPAA audit protocols in March 2013, comprising 169 modules that thoroughly analyze various aspects of privacy, security, and breach notification. Each HIPAA-covered entity may not be subject to all modules; the assessment areas depend on the nature of the entity's business. The key areas targeted by the protocols for auditing HIPAA-covered entities are:
HIPAA Privacy Rule
The HIPAA Privacy Rule protects patients' rights and personal health information. It covers several elements, including:
- Notice of privacy practices for PHI
- Patients' rights to request privacy protection for PHI
- Access of individuals to PHI
- Administrative requirements
- Uses and disclosures of PHI
- Amendment of PHI
- Accounting of disclosures
HIPAA Security Rule
The HIPAA Security Rule outlines requirements for administrative, physical, and technical safeguards to protect PHI. The three safeguards encompass a wide range of measures, including:
- Risk assessments
- Secure storage and transmission of PHI
- Development of messaging policies
- Prevention of unauthorized access to PHI
- Secure communication of PHI
- Implementation of sanctions for breaches
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule specifies how covered entities should handle breaches of PHI. It outlines the steps to determine if a breach has occurred when to report it to the OCR, who else to notify and the necessary actions to take in the event of a breach by a business associate.
Given the increasing use of personal mobile devices in healthcare settings, the protocols for auditing HIPAA-covered entities have been updated to address the associated risks. Research indicates that over 80% of physicians use personal mobile devices to access or communicate PHI. Consequently, the loss or theft of such devices has become a leading cause of patient data breaches.
Read also: Understanding and implementing HIPAA rules
Why do audits matter?
Remember, HIPAA compliance is not just a legal requirement. It's also essential for building trust with your patients. When patients trust their PHI is safeguarded, they are more likely to feel comfortable sharing their information with you and seeking treatment when needed. So, take the time to audit your HIPAA compliance and protect your patient's PHI.
Go deeper:
Steps of conducting a HIPAA compliance audit
Conducting a HIPAA compliance audit of your practice is a great way to assess compliance with current regulations and identify areas needing improvement and avoid a dreaded breach and the associated penalties of an OCR compliance assessment.
- Conduct a risk analysis
- Review Policies and Procedures
- Review Business Associate Agreements
- Ensure Physical Security Measures are in Place
- Ensure Electronic Security Measures are in Place
- Train Staff on HIPAA Compliance
OCR compliance assessments
HIPAA-covered entities must comply with protocols audited by the OCR. In the latest assessments, many entities failed due to a lack of awareness. To avoid penalties, healthcare organizations should familiarize themselves with HIPAA audit protocols on the OCR website. Implement measures to safeguard PHI to pass OCR compliance assessments.
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
