Recently, the Office of Civil Rights (“OCR”) provided an updated protocol that it will use when assessing compliance with HIPAA rules. OCR recently began Phase 2 of its HIPAA compliance audits, extending coverage of these audits to Business Associates (“BAs”) as well as Covered Entities (“CEs”). Both BAs and CEs should pay particular attention to these revised audit protocols, as they indicate exactly what OCR will be looking for when conducting these audits.
To begin with, the updated protocol now distinguishes between portions that apply to both CEs and BAs and only the portions that will apply to CEs. This should prove helpful when BAs refine policies and conduct risk assessments for HIPAA compliance. One of the more beneficial changes to the audit protocol is that it now includes very specific questions for CEs and BAs to answer as part of their risk assessments, as well as going into detail on what elements must be included in a CE’s or BA’s policies and procedures. This provides a closer link of the requirements under the audit to the provisions of HIPAA and the HITECH Act that create the respective responsibilities. Each standard and specification of implementation is paired with a specific inquiry in the audit protocol as a means of testing compliance, and the protocol provides additional guidance and explicit examples
The revised protocol includes now 180 potential areas of scrutiny, up from 165 during the first phase of auditing. It is potentially the strongest tool given to CEs and BAs to measure their own compliance, providing a roadmap for risk assessment. All CEs and BAs should review the updated audit protocols and evaluate compliance efforts in a methodical manner, systematically working through the revised protocol’s audit inquiries to understand strengths and weaknesses with respect to policies and procedures that implement HIPAA’s Security, Privacy or Breach Notification Rules.