On Tuesday, HHS' Office for Civil Rights published the protocol that it uses to conduct audits of the HIPAA Privacy and Security rules, Health Data Management reports.
The audits are required under the 2009 federal economic stimulus package's HITECH Act.
The audit protocol covers:
- HIPAA Privacy Rule requirements regarding how health care entities use, share and provide access to protected health information;
- HIPAA Security Rule requirements regarding how health care entities enact administrative, physical and technical safeguards for protected health information; and
- Requirements for the Breach Notification Rule (Health Data Management, 6/26).
Adam Greene -- a partner at the law firm Davis Wright Tremaine who formerly worked at OCR -- said the protocol will help health care entities better understand the auditing process.
However, a preliminary analysis consulting firm by CynergisTek stated that the audit protocol "may still leave the industry wanting for more explicit guidance" (Anderson, GovInfoSecurity, 6/26).