HIPAA Privacy, Security, and Breach Notification Audit Program

Background on the OCR Pilot Privacy, Security, and Breach Notification Audit Program Phase 1: The use of health information technology continues to expand in health care. Although these new technologies provide many opportunities and benefits for consumers, they also pose new risks to consumer privacy. Because of these increased risks, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) include national standards for the privacy of protected health information, the security of electronic protected health information, and breach notification to consumers. HITECH also requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. HHS Office for Civil Rights (OCR) enforces these rules, and in 2011, OCR established a pilot audit program to assess the controls and processes covered entities have implemented to comply with them. Through this program, OCR developed a protocol, or set of instructions, it then used to measure the efforts of 115 covered entities. As part of OCR’s continued commitment to protect health information, the office instituted a formal evaluation of the effectiveness of the pilot audit program.

Learn more about the Pilot Audit Program.

Learn more about the Audit Evaluation Program.

Learn more about the Audit Program Protocol.