OCR Releases New HIPAA Audit ProtocolDetailed Guide to Meeting About 180 HIPAA Provisions
Federal regulators have quietly released an updated protocol for use in phase two of HIPAA compliance audits of covered entities and business associates this year.
The Department of Health and Human Services' Office for Civil Rights posted a revamped protocol on its website, noting, "The protocol has been updated to reflect the [HIPAA] Omnibus Final Rule. You may submit feedback about the audit protocol to OCR."
OCR apparently published the revamped protocol late last week, along with some additional details about phase two of the HIPAA audit program, which is in the early stages of being rolled out, says privacy attorney David Holtzman, a former OCR senior adviser who is now vice president of compliance at security consulting firm CynergisTek.
OCR also posted a sample of the pre-screening questionnaire that is being sent out to covered entities and business associates to create a pool from which auditees will be selected (see This Year's HIPAA Audits: Interim Step). Also, OCR posted a sample template for potential auditees to list their business associates. That information will be used to help OCR select some BAs for audits.
"We have heard from a number of folks ... who have received letters from OCR requesting that they provide information about their size, services and revenue," Holtzman tells Information Security Media Group.
Findings from phase two audits will be used to develop a permanent HIPAA audit program, HHS says.
In a statement provided to ISMG, an OCR spokesman says: "The posted protocol is final and will be used in the phase two audits. OCR has included an email address for feedback on the protocol, but there is no comment period." The protocol will not be published in the Federal Register, he adds. "The changes [in the revised protocol] reflect the provisions of the [HIPAA] Omnibus Final Rulemaking of January 25, 2013, which are now effective," he says.
HIPAA compliance audits, mandated under the HITECH Act of 2009, have been on hold since a pilot program wrapped up in 2012. OCR officials last month said that phase two of the audits will focus on "desk audits" of covered entities as well as business associates, to be completed by the end of December, followed by a handful of onsite audits.
In an interview with ISMG last month during the HIMSS 2016 conference, Deven McGraw, OCR deputy director of health information privacy, said OCR plans to conduct about 200 remote desk audits focusing on only a small subset of HIPAA requirements, plus 10 to 25 "full scale audits" that will involve onsite visits.
"We are planning to revise the entire protocol even though for the desk audits we are only going to be auditing for selected provisions," McGraw said.
The revamped audit protocol builds upon the earlier protocol OCR released in 2012 when it launched its pilot phase of HIPAA audits that only scrutinized 115 covered entities for compliance with the HIPAA privacy, security and breach notification rules.
Phase two of the audits will also scrutinize business associates, who became directly liable for HIPAA compliance under the HIPAA Omnibus final rule, which went into effect in 2013.
The updated protocol lists a total of about 180 areas of potential compliance scrutiny by auditors, including 89 areas of the privacy rule, 72 areas of the security rule and 19 areas of the breach notification rule. The original protocol used for the pilot audit program listed a total of about 165 areas of scrutiny.
OCR on its website notes that the audit protocol covers privacy rule requirements for notice of privacy practices for protected health information; rights to request privacy protection for PHI; access of individuals to PHI; administrative requirements; uses and disclosures of PHI; amendment of PHI; and accounting of disclosures.
The protocol also covers security rule requirements for administrative, physical and technical safeguards, as well as requirements for the breach notification rule, which was updated under HIPAA Omnibus, OCR says.
Commenting on the updated protocol, privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "OCR made some nice improvements, such as clarifying what applies to covered entities and more closely tracking the regulations than the prior version."
Holtzman says the new protocol represents a significant change in scope and approach from the 2012 pilot project. "OCR beefed up its criteria for testing compliance with the HIPAA rules by developing an audit design that looks at each standard and implementation specification in each rule and assigning an audit inquiry to measure compliance. In sum, it is comprehensive and detailed in its approach," Holtzman says.
For entities that received the audit address confirmation and, more recently, screening questionnaire, the new audit protocol is a "must read," Greene says. "Even for entities that did not receive these and are less likely to be audited in this next round, the protocol is a great tool to prepare for any potential OCR investigations, such as one caused by a complaint or breach report."
Covered entities and business associates also can use the enhanced protocol to help assess their compliance programs, says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"The audit protocol is a very useful tool for any company to use in evaluating their overall compliance status and their ability to do well in an audit or investigation," the attorney notes. "It also will be very intimidating, as the protocol is incredibly detailed and granular, far beyond what many companies will have in place, particularly on elements that seldom come into play - for example policies relating to individuals who have been dead more than 50 years."
While the tool may end up being useful for HHS as a knowledge-gathering exercise, Nahra says, "I suspect few companies - even those with very strong compliance - will be able to meet all of the detailed elements of each rule spelled out by this protocol."
Holtzman believes the new, far more detailed audit protocol might be singled out by some "as evidence to support their contention that the HIPAA rules are too complex and demanding for small healthcare providers and employer group health plans."