The Office of Civil Rights (OCR) carries out Healthcare Insurance Portability and Accountability Act (HIPAA) audits of Business Associates and Covered Entities. The purpose of these audits is to ensure that these entities are compliant with the provisions laid out in HIPAA under the HITECH Act.
A HIPAA audit, carried out by the OCR, is a part of the HIPAA Privacy, Security, and Breach Notification Audit Program of the Office of Civil Rights (OCR). OCR audits are carried out to ensure that Covered Entities processes, controls and policies are in compliance with the provisions of the HITECH Act of 2009. According to hhs.gov, "The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate".
OCR Audits are a wide-ranging, compulsory audit protocol of which all the requirements that need to be assessed through these audits are a part. The OCR Audits protocol consists of modules that denote different elements relating to the three core aspects of OCR Audits:
How these three requirements are combined or jumbled depends on the type of Covered Entity that is OCR-audited.
The OCR Audit protocol covers Privacy Rule requirements for the following:
OCR audits take on a renewed vigor for 2016. OCR Audits will be carried out on 350 select Covered Entities and 50 Business Associates over three years starting 2016 for conducting audits. Health plans, healthcare providers, IT-related vendors, 15 non-IT-related vendors and healthcare clearinghouses are among these CE's and BA's that are going to be covered by OCR audits in 2016.
Along with these, OCR audits for 2016 will also be done for 150 Covered Entities and 50 Business Associates for compliance with the security standards, 100 Covered Entities for compliance with the privacy standards, and 100 Covered Entities for compliance with the breach notification standards.