Tuesday, April 5, 2016

OCR Releases New Privacy Audit Protocol

Dianne De La Mare


The US Department of Health and Human Services (HHS), Office of Civil Rights (OCR), has released its new privacy audit protocol, which will measure compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) privacy, security and breach notification protocols by covered entities (including nursing care centers). 

OCR’s HIPAA Audit program analyzes processes, controls, and policies of selected covered entities (including nursing care centers) pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act audit mandate. In March 2016, OCR launched its Phase 2 HIPAA Audit Program, and the agency has now established a comprehensive audit protocol describing the requirements to be assessed during those performance audits. 

The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification, and covers Privacy Rule requirements for:
(1) notice of privacy practices for PHI 
(2) rights to request privacy protection for PHI 
(3) access of individuals to PHI 
(4) administrative requirements 
(5) uses and disclosures of PHI
(6) amendment of PHI; and 
(7) accounting of disclosures. 

Security Rule requirements for administrative, physical, and technical safeguards requirements for the Breach Notification Rule.  The combination of these multiple requirements may vary based on the type of covered entity selected for review.

CMS is soliciting feedback from affected stakeholders at OSOCRAudit@hhs.gov.

No comments:

Post a Comment