HIPAA Privacy, Security, and Breach Notification Audit Program
This is background information regarding phase 1 of the HIPAA audit program.
Final
Issued by: Office for Civil Rights (OCR)
HIPAA Privacy, Security, and Breach Notification Audit Program
Background on the OCR Pilot Privacy, Security, and Breach Notification Audit Program Phase 1: The use of health information technology continues to expand in health care. Although these new technologies provide many opportunities and benefits for consumers, they also pose new risks to consumer privacy. Because of these increased risks, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) include national standards for the privacy of protected health information, the security of electronic protected health information, and breach notification to consumers. HITECH also requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. HHS Office for Civil Rights (OCR) enforces these rules, and in 2011, OCR established a pilot audit program to assess the controls and processes covered entities have implemented to comply with them. Through this program, OCR developed a protocol, or set of instructions, it then used to measure the efforts of 115 covered entities. As part of OCR’s continued commitment to protect health information, the office instituted a formal evaluation of the effectiveness of the pilot audit program.
Learn more about the Pilot Audit Program.
Learn more about the Audit Evaluation Program.
Learn more about the Audit Program Protocol.
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.