HIPAA News -- Online Toolkit, Audits

The California Office of Health Information Integrity recently made available a free online toolkit to help healthcare providers understand what they need to do to comply with the HIPAA Security Rule. At the federal level, the Office of Civil Rights is closer to completing its pilot HIPAA audit program and recently shared news of its progress to date.

The COHII intends its online toolkit assist medium to small providers with understanding HIPAA security standards requirements and for the providers to ascertain their organization's HIPAA security needs. The Security Rule requires providers assess how patient information is used, managed, stored, and transmitted and to consider ways that information may be accessed by unauthorized individuals or unintentionally released. Providers should then develop plans and procedures for reducing risks and to respond to situations when patient information is breached or is inaccessible through normal routes.

The California toolkit, available here, is billed as the first of its kind and is designed to be both a primer on the HIPAA Security Rule, as well as a case-specific tool for adherence. After using the toolkit, a provider will see indications of where he or she is either "in-compliance" or "out-of-compliance." While the toolkit is useful, it is not a substitute for the opinion of an attorney or qualified privacy/security consultant.


Last November I reported that OCR was initiating a pilot audit program. OCR has audited 20 covered entities as of last June, with 95 more audits to conduct by the end of this year. One dental practice in Colorado was among the hospitals, health plans, and provider practices audited earlier this year.

OCR notifies practices in writing 30 to 90 days before an on-site audit. The length of an audit, conducted by a contractor, can vary from three to ten days, with auditors interviewing key staff and examining policies, procedures, and physical and security features of a practice. Auditors will provide a practice with a draft report, and the practice will have 10 days to review the report and respond. The final report will then go to OCR. More information on the OCR audit protocol can be found here.

The audit program is a compliance improvement activity and not an enforcement activity. OCR will use the reports to understand better how covered entities are complying with HIPAA and to determine what type of technical assistance needs to be developed. The audits are required by law.