HIPAA Privacy, Security and Breach Notification Audit Program (2023)

Audit report on health industry compliance with HIPAA rules

OCR released the 2016-2017 HIPAA Industry Audit Report, in which it audited selected healthcare entities and business associates for compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS to periodically audit covered entities and business associates for compliance with HIPAA rules. OCR conducted audits of 166 covered entities and 41 business associates and notified these organizations of OCR's findings. OCR is publishing this industry report to share overall findings on compliance with the revised HIPAA rule provisions across a sample of regulated industries.

  • 2016-2017 HIPAA Industry Audit Report*
  • Press release

    *People using assistive technology may not have full access to the information in this file. For assistance, contact the HHS Office of Civil Rights at (800) 368-1019, toll free TDD: (800) 537-7697 or by emailOCRMail@hhs.gov.

As part of our ongoing efforts to assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules, OCR's 2016 Phase 2 Audit Program examined the policies and procedures adopted and implemented by covered entities and their business associates to meet selected standards and specifications for implementing the Privacy, Security and Breach Notification Policy.

Background on Phase One of OCR's Privacy, Security and Breach Notification Audit Program:

HIPAA established important national standards for the privacy and security of protected health data, and the Health Information Technology for Economic and Clinical Health (HITECH) Act established breach notification requirements to ensure greater transparency for individuals whose data may be compromised . HITECH requires the HHS Office of Civil Rights (OCR) to conduct periodic audits of covered entities' and business associates' compliance with HIPAA's privacy, security, and breach notification rules. In 2011 and 2012, OCR conducted a pilot audit program to evaluate the controls and procedures implemented by 115 covered entities in compliance with HIPAA requirements. OCR also conducted an extensive evaluation of the effectiveness of the pilot program. Based on this experience and the results of the evaluation, OCR is implementing the second phase of the program, which will audit both covered subjects and business partners. As part of this program, OCR is developing improved protocols (sets of instructions) to be used in the next round of audits and is implementing a new strategy to test the effectiveness of the Office's audits in evaluating industry compliance efforts with HIPAA. You can submit comments about the protocol to OCR atOSOCRAudit@hhs.gov.

Read more about the first phase of the HIPAA audit program.

2nd stage review

Warning: Phishing email masquerading as an official OCR audit notice - November 28, 2016

We noticed a phishing email circulating on fake HHS letterhead signed by OCR Director Jocelyn Samuels. This email appears to be an official government announcement and is intended for employees of HIPAA-covered entities and their business associates. The email invites recipients to click on a link about possible inclusion in the HIPAA Privacy, Security and Breach Audit Program. The link directs people to a non-government website that advertises the company's cybersecurity services. This company is in no way affiliated with the US Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this company very seriously.

OCR would like to further advise that this phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to the URL at https://www.hhs-gov.us. This is a subtle difference from the official email address for the HIPAA Audit Program, OSOCRAudit@hhs.gov, but this subtlety is typical of phishing scams.

Covered Entities and Business Associates should notify their employees of this issue and note that official notices regarding the HIPAA Audit Program are sent to selected audit entities by emailOSOCRAudit@hhs.gov. In the event that you or your organization has a question about whether it has received official notice from our company regarding a HIPAA audit, please contact us by email atOSOCRAudit@hhs.gov

New guidelines for office audits in 2016

  • Slides from the Regulated Entities Webinar held on July 13, 2016
  • A comprehensive list of questions and answers

ReadingNotice:OCR Begins Phase 2 of HIPAA Audit Program


Objectives of the program:

The audit program is an important part of OCR's overall privacy, security, and health information breach notification activities. OCR uses an audit program to evaluate the HIPAA compliance efforts of a variety of entities covered by the HIPAA regulations. Audits provide an opportunity to review compliance mechanisms, identify best practices, uncover risks and vulnerabilities that may not have been discovered during OCR's ongoing complaint investigations and compliance audits, and allow us to address issues before they lead to breaches. OCR will broadly identify best practices gathered through the audit process and provide guidance targeting the compliance challenges identified.

When will the next round of revisions start?

Who will be the subject of the audit?

On what basis will respondents be selected?

How will the selection process work?

How will the screening program work?

What if an entity does not respond to OCR's requests for information?

What is the general timeline for the audit?

What happens after the check?

How will this affect consumers?

Will controls vary by size and type of participants?

Will auditors consider state applicable privacy and security rules in addition to HIPAA privacy, security, and breach notification rules?

Who is responsible for paying the on-site auditor?

When will the next round of revisions start?

The second phase of OCR's HIPAA audit program is underway.Selected covered entities received notification letters on Monday, July 11, 2016. Audits of business associates will begin in the fall.OCR has begun receiving and verifying contact information to identify covered entities and business associates of various types and to determine which are appropriate for inclusion in potential audited groups. Communications from OCR will be sent via email and may be misclassified as spam. If your entity's spam filtering and virus protection are automatically enabled, we expect you to check your Spam or Spam folder for emails from OCR.OSOCRAudit@hhs.gov.Click here to see a sample email letter.

Image

HIPAA Privacy, Security and Breach Notification Audit Program (1)

Who will be the subject of the audit?

Each covered entity and business associate has a right to an audit. This includes covered individual and organizational health care providers. health plans of all sizes and functions; health care clearinghouses; and a host of business associates of these entities. We expect covered subjects and business partners to provide full cooperation and support to auditors.

On what basis will respondents be selected?

For this phase of the audit program, OCR is identifying groups of covered entities and business associates that represent a broad range of health care providers, health plans, health care clearinghouses, and business associates. By considering a broad range of potential auditors, OCR can better assess HIPAA compliance across the industry — taking into account the size, types and operations of potential auditees. Sampling criteria for selecting an audited entity will include the entity's size, relationship to other health care organizations, type of entity and its relationship to individuals, whether the organization is public or private, geographic factors, and current activity enforcement of OCR. OCR will not audit entities that are conducting an open complaint investigation or that are currently undergoing a compliance audit.

How will the selection process work?

After entity contact information is collected, a questionnaire designed to collect data on the size, type and operations of potential controlled entities will be sent to covered entities and business associates. This data will be used with other information to create pools of potential auditees for the purpose of selecting audit subjects.Click here to view the pre-screening questionnaire.

OCR will ask regulated entities to identify their business associates. We encourage covered entities to prepare a list of each business associate with contact information so they can respond to this request.

OCR will select audited entities by random sampling of the audit pool. Selected reviewees will then be notified of their participation.Click here to view a sample template that entities can use to create a business partner list.Use of this template is optional.

If a covered entity or business associate does not respond to requests for information, OCR will use publicly available information about the entity to build its audit team. An entity that does not respond to OCR may be selected for review or subject to a compliance audit.

How will the screening program work?

OCR plans to conduct desk audits and on-site audits of covered entities and their business associates. The first round of audits will be desk audits of covered entities, followed by a second round of desk audits of business partners. These audits will examine compliance with certain requirements of the Privacy, Security or Breach Notification Rules and the auditee will be notified of the subject or subjects of their audit by a document request letter. All desk reviews in this phase will be completed by the end of December 2016.

The third set of audits will be on-site and review a wider range of HIPAA requirements than office audits. Certain matters of the office audit may be subject to a subsequent on-site audit.

In the audit process, standard audit techniques will be used. Entities selected for review will be notified by email of their selection and will be asked to submit documents and other information in response to a document request letter. Auditees will submit documents online through the new secure audit portal on the OCR website. There will be fewer in-person visits during this second phase of audits than in the first phase, but auditees should be prepared to visit the site when OCR deems it appropriate. Auditors will review the documentation and then compile and share findings with the entity. Auditees will have an opportunity to respond to these draft findings. Their written responses will be included in the final audit report. Audit reports generally describe how the audit was conducted, discuss any findings, and contain the entity's responses to draft findings.

What if an entity does not respond to OCR's requests for information?

If an entity does not respond to OCR's requests for information, including address verification, a pre-verification screening questionnaire, and a document request from these selected entities, OCR will use publicly available information about the entity to create its control group. An entity that does not respond to OCR may be selected for review or subject to a compliance audit.

What is the general timeline for the audit?

In the coming months, OCR will notify selected covered entities in writing by email of their selection for an office audit. The OCR notification letter will introduce the review team, explain the review process, and discuss OCR's expectations in more detail. In addition, the letter will contain initial requests for documentation. OCR expects covered audited entities to submit the requested information through OCR's secure portal within 10 business days of the date of the information request. All documents must be in digital format and submitted electronically through a secure online portal.

After receiving these documents, the auditor will review the submitted information and provide a revised draft of findings. Reviewees will have 10 business days to review and return written comments, if any, to the reviewer. The auditor will complete the final audit report for each entity within 30 working days of the audited entity's response. OCR will share a copy of the final report with the audited entity.

When conducting office audits of covered entities, OCR will repeat the notification and document request process to initiate an office audit of selected business associates. OCR will share a copy of the final report with the audited business associate.

Similarly, subjects will be notified by email of their selection for on-site screening. Auditors will schedule an induction conference and provide more information about the on-site audit process and audit expectations. Each on-site inspection will be carried out over a period of three to five days, depending on the size of the entity. Field audits will be more comprehensive than office audits and will cover a wider range of HIPAA rule requirements. As with a desk audit, entities will have 10 business days to review the draft findings and submit written comments to the auditor. The auditor will complete the final audit report for each entity within 30 working days of the audited entity's response. OCR will share a copy of the final report with the audited entity.

What happens after the check?

Audits are primarily a compliance improvement activity. OCR will review and analyze the information from the final reports. The aggregated results of the audits will allow OCR to better understand compliance efforts with certain aspects of the HIPAA rules. In general, OCR will use audit reports to determine what types of technical assistance should be developed and what types of corrective actions would be most helpful. Through information gathered from audits, OCR will develop tools and guidance to help industry self-assess compliance and prevent violations.

If the audit report indicates a serious compliance issue, OCR may initiate a compliance review for further investigation. OCR will not publish a list of audited entities or individual audit findings that clearly identify an audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon public request. In the event that OCR receives such a request, we will comply with FOIA regulations.

How will this affect consumers?

An audit program is an important tool to ensure compliance with HIPAA protections for the benefit of individuals. For example, an audit program may uncover promising practices or reasons for health information breaches and will help OCR create tools for covered entities and business associates to better protect identifiable health information. Compliance issues identified and addressed through the audit will help improve the privacy and security of health records. The technical assistance and promising practices that OCR creates will also help covered entities and business partners improve their efforts to maintain safe and secure health records. During the review process, OCR will continue to receive complaints from individuals and initiate compliance audits where warranted. The compliance obligations of covered entities and business associates remain in full force.

Will controls vary by size and type of participants?

Audit protocols are designed to work with a wide range of covered entities and business associates, but their implementation may vary depending on the size and complexity of the entity being audited.

Will auditors consider state applicable privacy and security rules in addition to HIPAA privacy, security, and breach notification rules?

No, the scope of the audit program does not exceed our privacy, security and breach notification policies.

Who is responsible for paying the on-site auditor?

The Department of Health and Human Services is responsible for field auditors. Neither Covered Entities nor their business associates are responsible for the cost of the audit program.

Top Articles
Latest Posts
Article information

Author: Maia Crooks Jr

Last Updated: 01/14/2023

Views: 6088

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Maia Crooks Jr

Birthday: 1997-09-21

Address: 93119 Joseph Street, Peggyfurt, NC 11582

Phone: +2983088926881

Job: Principal Design Liaison

Hobby: Web surfing, Skiing, role-playing games, Sketching, Polo, Sewing, Genealogy

Introduction: My name is Maia Crooks Jr, I am a homely, joyous, shiny, successful, hilarious, thoughtful, joyous person who loves writing and wants to share my knowledge and understanding with you.