Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk.   It’s mission-critical to the successful development (and future viability) of a health app to consider the privacy issues up front (otherwise known as “privacy by design“) because it is cheaper to build it in than it is to remediate.

(Note:  This was originally posted as part 6 of a 7-part series on Building a Health App? on our sister blog, Health Law & Policy Matters.)


Continue Reading HIPAA and Other Privacy Considerations at Play when Building a Health App

At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.

The protocol covers the following subject areas:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Breach Notification Rule requirements.

OCR has also released other materials that shed light on the logistics of the audit process, including a copy of the Audit Pre-Screening Questionnaire that it will use to collect demographic information about covered entities and business associates. OCR will use this information to create a pool of potential auditees.

Entities selected for audit will be required by OCR to identify and provide detailed information regarding their business associates.  The information collected by OCR will be used to help identify business associates for the Phase 2 audits. OCR has released a template with the information that covered entities will have to provide, including the business associate’s name, contact information, type of services, and website.

Covered entities and business associates should be working to ensure that they have the required compliance documents and materials ready, especially given OCR’s aggressive timetable: if selected for an audit, an auditee will have only 10 days to respond to OCR.

As we have discussed previously on this blog, the audit protocol is an excellent HIPAA compliance tool, especially for audit readiness assessment.  Unfortunately, the version of the tool on the OCR website can be unwieldy to use in practice.   In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.


Originally posted to Mintz Levin’s Health Law & Policy Matters Blog on 4/20/16

Written by:  Dianne Bourque and Stephanie Willis

As promised by the Department of Health and Human Services’ Office of Civil Rights (OCR) and as reported here on June 11th, OCR has released its HIPAA privacy and security audit protocols.  The audit protocols are intended to cover the three main areas of HIPAA privacy and security enforcement:

  1. Privacy Rule requirements, specifically:
  • notice of privacy practices for Protected Health Information (PHI);
  • rights to request privacy protection for PHI;
  • access of individuals to PHI;
  • administrative requirements;
  • uses and disclosures of PHI;
  • amendment of PHI; and
  • accounting of disclosures.
  1. Security Rule requirements for administrative, physical, and technical safeguards.
  2. Breach Notification Rule requirements.

The protocol addresses 165 performance criteria, 77 of which focus exclusively on compliance with the Security Rule, and 88 in combination that deal with Breach Notification and Privacy Rule requirements.

Senior Advisor David Mayer of OCR, during his presentation at the 2012 American Health Lawyers Association Annual meeting in Chicago, Illinois, stated that the protocol presently on the website is actually an updated version of the protocol used to audit the first 20 covered entities who were selected for examination during the HITECH audit pilot program period.  He also stated that there are ninety-five more covered entities that will be audited to meet the OCR’s goal of auditing 115 entities and that OCR did not open any additional reviews related to the 20 audits it has completed so far.  Last, he noted that once the HIPAA Omnibus Rule is published, OCR will likely audit business associates thereafter.

Mr. Mayer also provided some of his preliminary observations gathered during the audit pilot program period.  An audible gasp rose from the crowd when he recounted a story where, when the KPMG auditors arrived to complete the audit of the covered entity, the covered entity’s representatives essentially said, “We have nothing; we are so glad to see you because we need your help.”  The audit was a wake-up call to the covered entity to prioritize HIPAA privacy and security compliance programs.

Mr. Mayer announced that OCR plans to continue its audit program in 2013 and 2014, and that the agency has been appropriated the money to do so.  All covered entities, particularly small providers (who historically have constituted a high proportion of HIPAA violations), should take the opportunity to use the audit protocols as a guide to draft or revamp their HIPAA compliance policies and procedures as well as to devise a plan of action to respond to audits in an organized and comprehensive manner.

Mr. Mayer noted to the audience that they’d be “surprised” at how many covered entities do not have HIPAA compliance policies and procedures in place.  But, all covered entities should take this comment to mean that it is not too late to put some in place rather than as a signal that there is still time to do so.

If you have questions regarding HIPAA compliance or HIPAA audit response plans, please contact a member of your Mintz Levin service team or a Mintz Levin privacy attorney.

Originally posted at