The recent release of the new OCR audit protocol gives us new guidance on what they expect from HIPAA compliance programs. There is a great deal of information to sift through if you are so inclined. To make it easier for you we are discussing some of the details and things we have learned from reviewing it for you! So, here is our review of the new OCR audit protocol!
New OCR Audit Protocol Review
On the HHS website, you can access the new OCR audit protocol for yourself. It is a great tool to help you understand exactly what they expect your compliance program to include.
From the opening information on the website;
The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.
- The audit protocol covers Privacy Rule requirements for
- notice of privacy practices for PHI,
- rights to request privacy protection for PHI,
- access of individuals to PHI,
- administrative requirements,
- uses and disclosures of PHI,
- amendment of PHI, and
- accounting of disclosures.
- The protocol covers Security Rule requirements for:
- physical, and
- technical safeguards.
- The protocol covers requirements for the Breach Notification Rule.
- Where the document says “entity,” it means both covered entities and business associates unless identified as one or the other;
- Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards;
- The auditor will be provided certain documents and items for review; not necessarily all policies and procedures;
- Unless otherwise specified, all document requests are for versions in use as of date of the audit notification and document request;
- Unless otherwise specified, selected entities should submit documents via OCR’s secure online web portal in PDF, MS Word or MS Excel formats;
- If the requested number of documentation of implementation is not available, the entity must provide instances from previous years to complete the sample. If no documentation is available, the entity must provide a statement to that effect.
- Workforce members include entity employees, contractors, students, and volunteers; and,
- Information systems include hardware, software, information, data, applications, communications, and people.
One example line item out of the 180 included:
|§164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.||Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ePHI) it creates, receives, maintains, or transmits?
Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?
Determine how the entity has implemented the requirements.
Obtain and review risk analysis policies and procedures. Evaluate and determine if written policies and procedures were developed to address the purpose and scope of the risk analysis, workforce member roles and responsibilities, management involvement in risk analysis and how frequently the risk analysis will be reviewed and updated.
Obtain and review the written risk analysis or other record(s) that documents that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI was been conducted. Evaluate and determine whether the risk analysis or other documentation contains:
Obtain and review documentation regarding the written risk analysis or other documentation that immediately preceded the current risk analysis or other record, if any. Evaluate and determine if the risk analysis has been reviewed and updated on a periodic basis, in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
If there is no prior risk analysis or other record, obtain and review the two (2) most recent written updates to the risk analysis or other record, if any. If the original written risk analysis or other records have not been updated since they were originally conducted and/or drafted, obtain and review an explanation as to the reason why.
In our continued review of the new OCR audit protocol we will be updating all of our assessments and plans as we see needed.