Just in time for the Phase 2 audits, the Department of Health and Human Services Office for Civil Rights (OCR) quietly posted the updated HIPAA Audit Protocol on its website. The new audit protocol has been updated to include business associates who became subject to HIPAA following the 2013 HIPAA Omnibus Final Rule. The protocol covers Privacy Rule, Security Rule and Breach Notification Rule requirements and consists of a table that references the relevant rule section, established performance criteria and the audit inquiry. The protocol is available for public view at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-current/index.html and is searchable by key words. The revised protocol will be used by OCR in conducting Phase 2 audits and expands the areas of compliance that will be examined to reflect the Omnibus Final Rule. OCR will accept “feedback” on the audit protocol at this email address, OSOCRAudit@hhs.gov, but the agency will not be publishing the protocol in the Federal Register and there is no comment period.

OCR representatives have said that covered entities will receive letters about the audits in May and business associates will receive the letters in June or July. While only 200 entities will be subject to the audits, the audit protocol is a helpful tool to business associates and covered entities that would like to assess their HIPAA compliance or which are the subject of an audit or investigation following a HIPAA breach.

Within the last week, the OCR also posted a copy of the pre-screening questionnaire that is being sent to business associates and covered entities to create the pool of audit subjects (see prior blog post). The pre-screening questionnaire may be accessed at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/questionnaire/index.html.

Additionally, the OCR posted a sample business associate list template for covered entities and business associates to use in compiling a list of their business associates and subcontractors. The sample template may be accessed at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/batemplate/index.html.

The HIPAA Audit Protocol is very detailed and complex, covering approximately 180 areas of potential review by OCR.