Data Protection Report - Norton Rose Fulbright

The HHS Office for Civil Rights (OCR) announced on Monday that it has launched the long-awaited Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program.

As we reported on the Health Law Pulse blog, the purpose of the Audit Program is to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security and Breach Notification Rules.  The audits are intended to supplement OCR’s other enforcement tools, such as complaint investigations and compliance reviews.

In Phase 2, all covered entities and business associates, of all shapes and sizes, are eligible for an audit.  OCR is currently reaching out to potential auditees by email to verify their contact information, and is identifying pools of organizations that represent a wide range of covered entities (health care providers, health plans and health care clearinghouses) and business associates, so that it can evaluate HIPAA compliance across the industry.

OCR is creating enhanced audit protocols to reflect the HIPAA Omnibus Rulemaking, which will be used in connection with the Phase 2 audits.  Covered entities and business associates can use these protocols to conduct internal self-audits as part of their HIPAA compliance programs and to prepare for the OCR audits.

More information about the Audit Program can be found here.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.