OCR Audits are slated for early 2016

The Office of Civil Rights (OCR) carries out Healthcare Insurance Portability and Accountability Act (HIPAA) audits of Business Associates and Covered Entities. The purpose of these audits is to ensure that these entities are compliant with the provisions laid out in HIPAA under the HITECH Act.

A HIPAA audit, carried out by the OCR, is a part of the HIPAA Privacy, Security, and Breach Notification Audit Program of the Office of Civil Rights (OCR). OCR audits are carried out to ensure that Covered Entities processes, controls and policies are in compliance with the provisions of the HITECH Act of 2009. According to hhs.gov, "The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate".

Mix and match

OCR Audits are a wide-ranging, compulsory audit protocol of which all the requirements that need to be assessed through these audits are a part. The OCR Audits protocol consists of modules that denote different elements relating to the three core aspects of OCR Audits:

  • Privacy
  • Security
  • Breach notification

How these three requirements are combined or jumbled depends on the type of Covered Entity that is OCR-audited.

Privacy Rule requirements of the OCR audit protocol

The OCR Audit protocol covers Privacy Rule requirements for the following:

  • Notice of privacy practices for Protected Health Information (PHI)
  • Patients right to request privacy protection for PHI
  • Monitoring which kinds of individuals access PHI
  • OCR Audits administrative requirements
  • Uses the PHI is put to, and rules for its disclosures
  • Ways and extent to which the PHI can be amended
  • Keeping an account of disclosures

What is coming up for 2016?

OCR audits take on a renewed vigor for 2016. OCR Audits will be carried out on 350 select Covered Entities and 50 Business Associates over three years starting 2016 for conducting audits. Health plans, healthcare providers, IT-related vendors, 15 non-IT-related vendors and healthcare clearinghouses are among these CE's and BA's that are going to be covered by OCR audits in 2016.

Along with these, OCR audits for 2016 will also be done for 150 Covered Entities and 50 Business Associates for compliance with the security standards, 100 Covered Entities for compliance with the privacy standards, and 100 Covered Entities for compliance with the breach notification standards.