OCR Releases HIPAA Audit Protocol as Audits Continue
Without pomp and circumstance, OCR made available its protocol for the HIPAA performance audits conducted pursuant to the HITECH audit requirement. The Audit Protocol covers the Privacy, Security and Breach Notification Rules, delineating over 150 areas of performance evaluation. OCR has completed the first set of 20 audits as of March 2012, with the next set of organizations being notified and audited on a rolling basis.
With clear-cut references to each applicable standard and implementation specification, and the key performance criteria, activities and procedures for each, the Audit Protocol revolves largely around whether policies and procedures are in place to address each standard/implementation specification and the extent to which processes within the covered entity actually conform to these policies and procedures. For example, one area of performance evaluation for assessing compliance with the Privacy Rule covers uses and disclosures for treatment, payment and health care operations, requiring the auditor to:
Inquire of management as to whether a process exists for the use or disclosure of PHI for treatment, payment or health care operations provided and whether such use or disclosure is consistent with other applicable requirements. Obtain and review the process and evaluate the content relative to the specified criteria used for use or disclosure of PHI for treatment, payment, or health care operations proided to determine whether such use or discosure is consistent with other applicable requirements. Obtain and review a sample of training programs and evaluate the content relative to the specified criteria to determine the use or disclosure of PHI for treatment, payment, or health care operations provided is consistent with other applicable requirements.
Another critical set of audit procedures inquires about the policies and practices for accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI, stating
Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process or transmit ePHI. (emphasis added)
The Audit Protocol can easily be used by covered entities to self-assess their levels of compliance with all aspects of HIPAA and should be a light in the darkness for many organizations. Although the Audit Protocol does NOT tell covered entities exactly how often they need to be conducting a risk assessment, conducting internal audits or reviewing their policies and procedures, how many patient records they should be self-auditing, and other “guarantees” for complying with HIPAA, it still provides a basic roadmap for covered entities to understand what they will be called upon to provide. The Audit Protocol can and should be used to identify what policies, procedures and practices will be carefully scrutinized by OCR and whether the organization’s existing policies and procedures would reasonably pass muster in the event of an audit. It should also be used to assess the level of compliance by the organization’s workforce with such policies and procedures, and the training materials used to educate new-hires and current employees.
Some key areas that OCR has highlighted as problematic include HIPAA risk assessments and user activity monitoring (e.g., audit logs, access reports and security incident reports). OCR has provided guidance previously on conducting risk assessments, see HIPAA Security Standards: Guidance on Risk Analysis, however, as we continually see and the audits have underscored, this remains a source of confusion and an area which covered entities frequently are deficient in. With Meaningful Use also requiring completion of a HIPAA risk assessment for each applicable reporting period, it is even more critical for providers and hospitals to ensure that they are periodically conducting comprehensive risk assessments. It remains to be seen whether CMS and State Medicaid EHR Incentive Program audits will result in recoupment of payments to eligible professionals and hospitals based on a failure to properly perform these risk assessments.
For more information on the OCR Audit Program, visit OCR’s Audit page. HHS and OCR have also made available substantial resources for compliance with the Privacy Rule, as well as the Security Rule that includes the Security Rule Educational Paper Series and links to various NIST Special Publications, all which can be used to assess compliance with HIPAA. You can also check out live and video training workshops and other options on our Workshops page for workforce compliance, as well as our November “Health Law Diagnosis,” which contains additional tips for preparing for an audit.
