[BreachExchange] OCR Releases New HIPAA Audit Protocol

[Audrey McNeil]

http://www.databreachtoday.com/ocr-releases-new-hipaa-audit-protocol-a-9019

Federal regulators have quietly released an updated protocol for use in
phase two of HIPAA compliance audits of covered entities and business
associates this year.

The Department of Health and Human Services' Office for Civil Rights posted
a revamped protocol on its website, noting, "The protocol has been updated
to reflect the [HIPAA] Omnibus Final Rule. You may submit feedback about
the audit protocol to OCR."

OCR apparently published the revamped protocol late last week, along with
some additional details about phase two of the HIPAA audit program, which
is in the early stages of being rolled out, says privacy attorney David
Holtzman, a former OCR senior adviser who is now vice president of
compliance at security consulting firm CynergisTek.

OCR also posted a sample of the pre-screening questionnaire that is being
sent out to covered entities and business associates to create a pool from
which auditees will be selected (see This Year's HIPAA Audits: Interim
Step). Also, OCR posted a sample template for potential auditees to list
their business associates. That information will be used to help OCR select
some BAs for audits.

"We have heard from a number of folks ... who have received letters from
OCR requesting that they provide information about their size, services and
revenue," Holtzman tells Information Security Media Group.

Findings from phase two audits will be used to develop a permanent HIPAA
audit program, HHS says.

In a statement provided to ISMG, an OCR spokesman says: "The posted
protocol is final and will be used in the phase two audits. OCR has
included an email address for feedback on the protocol, but there is no
comment period." The protocol will not be published in the Federal
Register, he adds. "The changes [in the revised protocol] reflect the
provisions of the [HIPAA] Omnibus Final Rulemaking of January 25, 2013,
which are now effective," he says.

Protocol Details

HIPAA compliance audits, mandated under the HITECH Act of 2009, have been
on hold since a pilot program wrapped up in 2012. OCR officials last month
said that phase two of the audits will focus on "desk audits" of covered
entities as well as business associates, to be completed by the end of
December, followed by a handful of onsite audits.

In an interview with ISMG last month during the HIMSS 2016 conference,
Deven McGraw, OCR deputy director of health information privacy, said OCR
plans to conduct about 200 remote desk audits focusing on only a small
subset of HIPAA requirements, plus 10 to 25 "full scale audits" that will
involve onsite visits.

"We are planning to revise the entire protocol even though for the desk
audits we are only going to be auditing for selected provisions," McGraw
said.

The revamped audit protocol builds upon the earlier protocol OCR released
in 2012 when it launched its pilot phase of HIPAA audits that only
scrutinized 115 covered entities for compliance with the HIPAA privacy,
security and breach notification rules.

Phase two of the audits will also scrutinize business associates, who
became directly liable for HIPAA compliance under the HIPAA Omnibus final
rule, which went into effect in 2013.

The updated protocol lists a total of about 180 areas of potential
compliance scrutiny by auditors, including 89 areas of the privacy rule, 72
areas of the security rule and 19 areas of the breach notification rule.
The original protocol used for the pilot audit program listed a total of
about 165 areas of scrutiny.

OCR on its website notes that the audit protocol covers privacy rule
requirements for notice of privacy practices for protected health
information; rights to request privacy protection for PHI; access of
individuals to PHI; administrative requirements; uses and disclosures of
PHI; amendment of PHI; and accounting of disclosures.

The protocol also covers security rule requirements for administrative,
physical and technical safeguards, as well as requirements for the breach
notification rule, which was updated under HIPAA Omnibus, OCR says.

Commenting on the updated protocol, privacy attorney Adam Greene of the law
firm Davis Wright Tremaine notes: "OCR made some nice improvements, such as
clarifying what applies to covered entities and more closely tracking the
regulations than the prior version."

Holtzman says the new protocol represents a significant change in scope and
approach from the 2012 pilot project. "OCR beefed up its criteria for
testing compliance with the HIPAA rules by developing an audit design that
looks at each standard and implementation specification in each rule and
assigning an audit inquiry to measure compliance. In sum, it is
comprehensive and detailed in its approach," Holtzman says.

Useful Tool

For entities that received the audit address confirmation and, more
recently, screening questionnaire, the new audit protocol is a "must read,"
Greene says. "Even for entities that did not receive these and are less
likely to be audited in this next round, the protocol is a great tool to
prepare for any potential OCR investigations, such as one caused by a
complaint or breach report."

Covered entities and business associates also can use the enhanced protocol
to help assess their compliance programs, says privacy attorney Kirk Nahra
of the law firm Wiley Rein.

"The audit protocol is a very useful tool for any company to use in
evaluating their overall compliance status and their ability to do well in
an audit or investigation," the attorney notes. "It also will be very
intimidating, as the protocol is incredibly detailed and granular, far
beyond what many companies will have in place, particularly on elements
that seldom come into play - for example policies relating to individuals
who have been dead more than 50 years."

While the tool may end up being useful for HHS as a knowledge-gathering
exercise, Nahra says, "I suspect few companies - even those with very
strong compliance - will be able to meet all of the detailed elements of
each rule spelled out by this protocol."

Holtzman believes the new, far more detailed audit protocol might be
singled out by some "as evidence to support their contention that the HIPAA
rules are too complex and demanding for small healthcare providers and
employer group health plans."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160405/4861f8f6/attachment-0001.html>