The Office for Civil Rights (OCR) of US Department of Health & Human Services is initiating an auditing process to evaluate compliance with provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It is expected that the audits will expose many healthcare providers and their vendors to enforcement actions.
The increasingly widespread use of electronic protected health information poses a risk to the privacy and security of such information. The HITECH Act requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy and Security Rules. In 2011, OCR, as the agency responsible for the enforcement of these rules, established a pilot audit program to assess the compliance controls and processes implemented by covered entities. Based on the results of the pilot program, OCR developed a protocol to measure the efforts of 115 covered entities – the Phase 1 audit program.