HIPAA Privacy and Security Audit Protocols
The HIPAA privacy and security rules were enacted in 1996, as part of the Administrative Simplification law. They were later amended in 2009 by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. These rules are intended to ensure protection of individual identifiable medical information, specifically protected health information (PHI). This includes PHI contained both in paper form, and that which is maintained electronically.
The HIPAA law applies to covered entities including health plans, health care clearinghouses and health care providers, and through the HITECH law, to business associates.
Last year, the HHS Office of Civil Rights initiated an audit program (see New Pilot Audit Program: HIPAA Privacy and Security Compliance, January 2012 Benefit Beat).
Recently the OCR issued an Audit Protocol. These charts provide great information on what would be reviewed in the event of an audit. Specifically, the procedures outline a covered entity’s compliance with the privacy rules relating to:
- Notice of privacy practices;
- Individual rights, such as requests for privacy protection and access to an individual’s PHI;
- Compliance with administrative rules and the use and disclosure rules;
- Amending PHI; and
- Accounting of disclosure.
In addition, the protocol reviews compliance with the HIPAA Security and Breach Notification rules.
Anyone responsible for compliance with these rules should use these charts as a roadmap.
The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations.
As required by U.S. Treasury rules, we inform you that, unless expressly stated otherwise, any U.S. federal tax advice contained in this Benefit Beat is not intended or written to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed by the Internal Revenue Service.