Dedicated to providing the latest
HIPAA compliance news

OCR Publishes New HIPAA Audit Protocol

Share this article on:

The Department of Health and Human Services Office for Civil Rights (OCR) has published a new HIPAA audit protocol for the second round of compliance audits.

The audit protocol has been updated to incorporate 2013 Omnibus Final Rule changes, and OCR is encouraging covered entities to read the new protocol and submit comments.

The 2016 HIPAA audits have a much narrower focus than the first round and will be conducted in modules. The modules will assess separate elements of the Privacy Rule, Security Rule, and Breach Notification Rule. OCR may decide to audit a covered entity on one or more modules, depending on the type of organization.

If selected for audit, covered entities will be required to submit a range of documents to OCR via a dedicated web portal. The most current versions of documents must be submitted in PDF, Word, or Excel formats. Documentation will need to include evidence of implementation of each aspect of HIPAA. If no documentation is held, the covered entity will be required to submit a statement to that effect. Auditors will then be provided with a selection of documents to assess compliance.

OCR may choose to assess covered entities on 89 aspects of the Privacy Rule, 72 elements of the Security Rule (administrative, physical, and technical safeguards), and 19 elements of the HIPAA Breach Notification Rule. OCR has detailed the nature of the inquiries that will be made in the published protocol.

OCR has previously indicated the purpose of the audits is not to catch covered entities that have failed to ensure compliance with HIPAA Rules, instead they will help OCR to develop new guidance and issue best practices for covered entities to follow. However, OCR is unlikely to turn a blind eye if major violations of HIPAA Rules are discovered.

OCR has said that if serious violations are discovered a full compliance review may be triggered, and that may lead to the issuing of civil monetary penalties.

At present, OCR is collating and verifying contact information gathered from covered entities over the past few weeks. Questionnaires will shortly be sent out to gather further information which will be used to select entities for audits.

Covered entities should start preparing by compiling a list of all current business associates and locating all business associate agreements. Even if not selected for audit, OCR will require a current list of business associates to be supplied. For some covered entities that list may include thousands of vendors and may take some time to prepare.

Covered entities should also conduct an internal assessment of their compliance program and address any areas of concern. If selected for audit, staff will need to collect, collate, and upload documentation to the OCR auditing web portal. For some entities that may be a time consuming process. Now is a good time to start developing a plan which can be put into action if the entity is selected for audit.

The new HIPAA audit protocol has been made available on the HHS website and can be viewed in this link

Criteria to be Assessed in the 2016 HIPAA Audits

Audit Type Section Established Performance Criteria
Privacy §164.502(a)(5)(i) Prohibited uses and disclosures – Use and disclosure of genetic information for underwriting purposes
Privacy §164.502(f) Deceased individuals
Privacy §164.502(g) Personal representatives
Privacy §164.502(h) Confidential communications
Privacy §164.502(i) Uses and disclosures consistent with notice
Privacy §164.502(j)(1) Disclosures by whistleblowers
Privacy §164.502(j)(2) Disclosures by workforce members who are victims of a crime
Privacy §164.504(e) Business associate contracts
Privacy §164.504(f) Requirements for group health plans
Privacy §164.504(g) Requirements for a covered entity with multiple covered functions
Privacy §164.506(a) Permitted uses and disclosures
Privacy §164.506(b); (b)(1); and (b)(2) Consent for uses and disclosures
Privacy §164.508(a)(1-3) and §164.508(b)(1-2) Authorizations for uses and disclosures is required
Privacy §164.508(b)(3) Compound authorizations — Exceptions
Privacy §164.508(b)(4) Prohibition on conditioning of authorizations
Privacy §164.508(b)(6) and §164.508(c)(1-4) Uses and Disclosures for which an Authorization is Required – Documentation and Content
Privacy §164.510(a)(1) and §164.510(a)(2) Use and Disclosure for Facility Directories; Opportunity to Object
Privacy §164.510(a)(3) Uses and Disclosures for Facility Directories in Emergency Circumstances
Privacy §164.510(b)(1) Permitted uses and disclosures
Privacy §164.510(b)(2) Uses and disclosures with the individual present
Privacy §164.510(b)(3) Limited uses and disclosures when the individual is not present
Privacy §164.510(b)(4) Uses and disclosures for disaster relief purposes
Privacy §164.510(b)(5) Uses and disclosures when the individual is deceased
Privacy §164.512(a) Uses and disclosures required by law
Privacy §164.512(b) Uses and disclosures for public health activities
Privacy §164.512(c) Disclosures about victims of abuse, neglect or domestic violence
Privacy §164.512(d) Uses and disclosures for health oversight activities
Privacy §164.512(e) Disclosures for judicial and administrative proceedings
Privacy §164.512(f)(1) Disclosures for law enforcement purposes
Privacy §164.512(f)(2) Disclosures for law enforcement purposes – for identification and location –
Privacy §164.512(f)(3) Disclosures for law enforcement purposes– PHI of a possible victim of a crime
Privacy §164.512(f)(4) Disclosures for law enforcement purposes– an individual who has died as a result of suspected criminal conduct
Privacy §164.512(f)(5) Disclosures for law enforcement purposes: crime on premises
Privacy §164.512(f)(6) Disclosures for law enforcement purposes
Privacy §164.512(g) Uses and disclosures about decedents
Privacy §164.512(h) Uses and disclosures for cadaveric organ, eye or tissue donation
Privacy §164.512(i)(1) Uses and disclosures for research purposes — Permitted Uses and Disclosures
Privacy §164.512(i)(2) Uses and disclosures for research purposes — Documentation of Waiver Approval
Privacy §164.512(k)(1) Uses and disclosures for specialized government functions — Military
Privacy §164.512(k)(2) Uses and disclosures for specialized government functions — National Security and intelligence activities
Privacy §164.512(k)(3) Uses and disclosures for specialized government functions — Protective Services
Privacy §164.512(k)(4) Uses and disclosures for specialized government functions — Medical Suitability Determinations
Privacy §164.512(k)(5) Uses and disclosures for specialized government functions – Correctional institutions
Privacy §164.512(k)(6) Uses and disclosures for specialized government functions – Providing public benefits
Privacy §164.512(l) Disclosures for workers’ compensation
Privacy §164.514(b) & §164.514(c) Requirements for De-Identification of PHI & Re-Identification of PHI
Privacy §164.514(d)(1)-§164.514(d)(2) Standard: Minimum Necessary & Minimum Necessary Uses of PHI
Privacy §164.514(d)(3) Minimum Necessary – Disclosures of PHI
Privacy §164.514(d)(4) Minimum Necessary requests for protected health information
Privacy §164.514(d)(5) Minimum Necessary – Other content requirement
Privacy §164.514(e) Limited Data Sets and Data Use Agreements
Privacy §164.514(f) Uses and Disclosures for Fundraising
Privacy §164.514(g) Uses and Disclosures for Underwriting and Related Purposes
Privacy §164.514(h) Verification Requirements
Privacy §164.520(a)(1) & (b)(1) Notice of Privacy Practices
Privacy §164.520(c)(1) Provisions of Notice – Health Plans
Privacy §164.520(c)(2) Provisions of Notice – Certain Covered Health Care Providers
Privacy §164.520(c)(3) Provision of Notice – Electronic Notice
Privacy §164.520(d) Joint Notice by Separate Covered Entities
Privacy §164.520(e) Documentation
Privacy §164.522(a)(1) Right of an Individual to Request Restriction of Uses and Disclosures
Privacy §164.522(a)(2) Terminating a Restriction
Privacy §164.522(a)(3) Documentation
Privacy §164.522(b)(1) Confidential Communications Requirements
Privacy §164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3) Right to access
Privacy §164.524(d) (2) Denial of Access
Privacy §164.524(a)(2) Unreviewable grounds for denial
Privacy §164.524(a)(3) Reviewable grounds for denial
Privacy §164.524(a)(4) & (d)(4) Review of denial of access
Privacy §164.524(e) Documentation
Privacy §164.526(a)(1) Right to Amend
Privacy §164.526(a)(2) Denying the Amendment
Privacy §164.526(c) Accepting the Amendment
Privacy §164.526(d) Denying the Amendment
Privacy §164.528(a) Right to an Accounting of Disclosures of PHI
Privacy §164.528(b) Content of the Accounting
Privacy §164.528(c) Provision of the Accounting
Privacy §164.528(d) Documentation
Privacy §164.530(a) Personnel designations
Privacy §164.530(b) Training
Privacy §164.530(c) Safeguards
Privacy §164.530(d)(1) Complaints to the Covered Entity
Privacy §164.530(d)(2) Complaints to the Covered Entity
Privacy §164.530(e)(1) Sanctions
Privacy §164.530(f) Mitigation
Privacy §164.530(g) Refraining from Intimidating or Retaliatory Acts
Privacy §164.530(h) Waiver of rights
Privacy §164.530(i) Policies and Procedures
Privacy §164.530(j) Documentation
Security §164.306(a) General Requirements
Security §164.306(b) Flexibility of approach
Security §164.308(a) Security Management Process
Security §164.308(a)(1)(ii)(A) Security Management Process — Risk Analysis
Security §164.308(a)(1)(ii)(B) Security Management Process — Risk Management
Security §164.308(a)(1)(ii)(C) Security Management Process – Sanction Policy
Security §164.308(a)(1)(ii)(D) Security Management Process –Information System Activity Review
Security §164.308(a)(2) Assigned Security Responsibility
Security §164.308(a)(3)(i) Workforce Security
Security §164.308(a)(3)(ii)(A) Workforce security — Authorization and/or Supervision
Security §164.308(a)(3)(ii)(B) Workforce security — Workforce Clearance Procedure
Security §164.308(a)(3)(ii)(C) Workforce security — Establish Termination Procedures
Security §164.308(a)(4)(i) Information Access Management
Security §164.308(a)(4)(ii)(A) Information Access Management — Isolating Healthcare Clearinghouse Functions
Security §164.308(a)(4)(ii)(B) Information Access Management — Access Authorization
Security §164.308(a)(4)(ii)(C) Information Access Management — Access Establishment and Modification
Security §164.308(a)(5)(i) Security Awareness and Training
Security §164.308(a)(5)(ii)(A) Security Awareness and Training — Security Reminders
Security §164.308(a)(5)(ii)(B) Security Awareness, Training, and Tools — Protection from Malicious Software
Security §164.308(a)(5)(ii)(C) Security Awareness, Training, and Tools — Log-in Monitoring
Security §164.308(a)(5)(ii)(D) Security Awareness, Training, and Tools — Password Management
Security §164.308(a)(6)(i) Security Incident Procedures
Security §164.308(a)(6)(ii) Security Incident Procedures — Response and Reporting
Security §164.308(a)(7)(i) Contingency Plan
Security §164.308(a)(7)(ii)(A) Contingency Plan – Data Backup Plan
Security §164.308(a)(7)(ii)(B) Contingency Plan –Disaster Recovery Plan
Security §164.308(a)(7)(ii)(C) Contingency Plan — Emergency Mode Operation Plan
Security §164.308(a)(7)(ii)(D) Contingency Plan — Testing and Revision Procedure
Security §164.308(a)(7)(ii)(A) Contingency Plan –Application and Data Criticality Analysis
Security §164.308(a) (8) Evaluation
Security §164.308(b)(1) Business Associate Contracts and Other Arrangements
Security §164.308(b)(3) Business Associate Contracts and Other Arrangements — Written Contract or Other Arrangement
Security §164.310(a)(1) Facility Access Controls
Security §164.310(a)(2)(i) Facility Access Controls — Contingency Operations
Security §164.310(a)(2)(ii) Facility Access Controls — Facility Security Plan
Security §164.310(a)(2)(iii) Facility Access Controls — Access Control and Validation Procedures
Security §164.310(a)(2)(iv) Facility Access Controls — Maintain Maintenance Records
Security §164.310(b) Workstation Use
Security §164.310(c) Workstation Security
Security §164.310(d)(1) Device and Media Controls
Security §164.310(d)(2)(i) Device and Media Controls — Disposal
Security §164.310(d)(2)(ii) Device and Media Controls — Media Re-use
Security §164.310(d)(2)(iii) Device and Media Controls — Accountability
Security §164.310(d)(2)(iv) Device and Media Controls — Data Backup and Storage Procedures
Security §164.312(a)(1) Access Control
Security §164.312(a)(2)(i) Access Control — Unique User Identification
Security §164.312(a)(2)(ii) Access Control — Emergency Access Procedure
Security §164.312(a)(2)(iii) Access Control — Automatic Logoff
Security §164.312(a)(2)(iv) Access Control — Encryption and Decryption
Security §164.312(b) Audit Controls
Security §164.312(c)(1) Integrity
Security §164.312(c)(2) Integrity — Mechanism to Authenticate ePHI
Security §164.312(d) Person or Entity Authentication
Security §164.312(e)(1) Transmission
Security §164.312(e)(2)(i) Transmission Security — Integrity Controls
Security §164.312(e)(2)(ii) Transmission Security –Encryption
Security 164.314(a)(1) Business Associate Contracts or Other Arrangements
Security 164.314(a)(2)(i)(A) Business associate contracts
Security 164.314(a)(2)(i)(B) Business associate contracts.
Security 164.314(a)(2)(i)(C) Business associate contracts.
Security 164.314(a)(2)(ii) Other Arrangements
Security 164.314(a)(2)(iii) Business associate contracts with subcontractors
Security 164.314(b)(1) Requirements for Group Health Plans
Security 164.314(b)(2)(i) Group Heath Plan Implementation Specification
Security 164.314(b)(2)(ii) Group Heath Plan Implementation Specification
Security 164.314(b)(2)(iii) Group Heath Plan Implementation Specification
Security 164.314(b)(2)(iv) Group Heath Plan Implementation Specification
Security §164.316(a) Policies and Procedures
Security §164.316(b)(1) Documentation
Security §164.316(b)(2) (i) Documentation – Time Limit
Security §164.316(b)(2) (ii) Documentation- Availability
Security §164.316(b)(2) (iii) Documentation – Updates
Breach §164.414(a) Administrative Requirements
Breach §164.530(b) Training
Breach §164.530(d) Complaints
Breach §164.530(e) Sanctions
Breach §164.530(g) Refraining from Retaliatory Acts
Breach §164.530(h) Waiver of Rights
Breach §164.530(i) Policies and Procedures
Breach §164.530(j) Documentation
Breach §164.402 Definitions: Breach – Risk Assessment
Breach §164.402 Definitions: Breach – exceptions (unsecured PHI)
Breach §164.404(a) Notice to Individuals
Breach §164.404(b) Timeliness of Notification
Breach §164.404(c)(1) Content of Notification
Breach §164.404(d) Methods of Notification
Breach §164.406 Notification to the Media
Breach §164.408 Notification to the Secretary
Breach §164.410 Notification by a Business Associate
Breach §164.412 Law Enforcement Delay
Breach §164.414(b) Burden of Proof

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On