OCR HIPAA Audit Protocol

OCR has released the protocol updated for the HIPAA omnibus rule and the recently-launched Phase 2 HIPAA compliance audits.

OCR HIPAA Audit Protocol

The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.

The updated protocol identifies approximately 180 areas for potential audit inquiry: 89 from the Privacy Rule (addressing notice of privacy practices, rights to request privacy protection, access, administrative requirements, uses and disclosures, verification requirements, amendment, and accounting of disclosures), 72 from the Security Rule (administrative, physical, and technical safeguards including security risk assessment and awareness training), and 19 from the Breach Notification Rule (including breach risk assessment).

2016 Audit Program

On March 21, 2016, OCR announced Phase Two of its HIPAA Audit program

OCR has indicated that the audits are designed to not be punitive and continues to treat its enforcement efforts as

an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.

The OCR is sending emails to covered entities and will be be transmitting pre-audit questionnaires to these entities.  They will use the questionnaires to gather data about the size, type, and operations of potential auditees and will also ask for lists of their business associates, with contact info.   OCR will randomly select covered entities and business associates for audit.

Entities will not be assessed on all audit areas — the requirements that will be reviewed in a particular audit session will vary based on the type of covered entity selected for review.

The first set of audits are planned to be “Desk Audits” where entities will be asked to submit documents through a secure online portal within ten business days of the request.  Additional audits will be conducted on-site.

Audit Preparation

Steps to prepare your organization for an audit include:

1. Prepare an audit response plan — identify the individual who will lead the response to any audit request and watch email for communications from [email protected].
2. Perform an assessment of your existing HIPAA privacy and security compliance program.  The recently released audit protocol is one tool.
3. Review, update, and organize evidence of compliance including your Security Risk Assessment, Disclosure and Breach Assessment Records, Employee Annual Training Records, Backup and Recovery Records, and Business Associate Agreements.
4. Address and remediate weaknesses, policies, training, and gaps discovered.

It is often helpful to work with a third-party expert to help your team objectively assess the maturity of your program, identify gaps, update policies and procedures, and practical implementation guidance.

To complete your internal audit of your HIPAA program and prepare and remediate your privacy and security program for a potential OCR audit, contact Double-Helix.