make a good business better

Blog Information Security

Print Divider Print Divider Branding

New HIPAA Audit Protocol Released by the OCR

04/06/2016  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security


Social Logo Social Logo Social Logo Social Logo

The specter of a renewed round of HIPAA audits has been looming for several years with only sporadic guidance being provided by the regulators as to when and how the audits will be performed. An initial round of “pilot” audits was conducted back in 2012 and used a published audit protocol that had become outdated due to the regulatory updates provided by some elements of HITECH that were clarified and codified in the Omnibus HIPAA rule published in 2013.   With the publishing of the new audit protocol by the OCR ( HHS is providing healthcare providers and business associates great insight into the questions they may face if selected for an audit. 

The OCR HIPAA Audit program is designed to analyze processes, controls, and policies of selected covered entities and business associates. With this new version, the OCR has established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. According the OCR, the combination of these multiple requirements may vary based on the type of covered entity or business associate selected for review. Protocol coverage includes:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. 
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Requirements for the Breach Notification Rule.

It is still expected that the upcoming round(s) of audits will be based a combined approach of “desk audits” that will be performed remotely and more comprehensive on-site audits for a more limited selection of entities. The new protocol is somewhat broader in its coverage with a total of 180 areas as opposed to 165 in the version used for the Pilot Audit program.

With this new guidance from the OCR, this is a perfect time for organizations with compliance obligations under HIPAA to reexamine their adherence to the regulatory standards as well as their readiness for a possible audit. Scrambling at the last hour to respond to an audit request is not a recipe for success. 

Learn everything you need to know to prepare for the upcoming OCR audit in our new (free) guide, OCR Audits Demystified. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. OCR_CTAs  

Posted in: Healthcare