OCR Publishes New HIPAA Audit Protocol
The Department of Health and Human Services Office for Civil Rights (OCR) has published a new HIPAA audit protocol for the second round of compliance audits.
The audit protocol has been updated to incorporate 2013 Omnibus Final Rule changes, and OCR is encouraging covered entities to read the new protocol and submit comments.
The 2016 HIPAA audits have a much narrower focus than the first round and will be conducted in modules. The modules will assess separate elements of the Privacy Rule, Security Rule, and Breach Notification Rule. OCR may decide to audit a covered entity on one or more modules, depending on the type of organization.
If selected for audit, covered entities will be required to submit a range of documents to OCR via a dedicated web portal. The most current versions of documents must be submitted in PDF, Word, or Excel formats. Documentation will need to include evidence of implementation of each aspect of HIPAA. If no documentation is held, the covered entity will be required to submit a statement to that effect. Auditors will then be provided with a selection of documents to assess compliance.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR may choose to assess covered entities on 89 aspects of the Privacy Rule, 72 elements of the Security Rule (administrative, physical, and technical safeguards), and 19 elements of the HIPAA Breach Notification Rule. OCR has detailed the nature of the inquiries that will be made in the published protocol.
OCR has previously indicated the purpose of the audits is not to catch covered entities that have failed to ensure compliance with HIPAA Rules, instead, they will help OCR to develop new guidance and issue best practices for covered entities to follow. However, OCR is unlikely to turn a blind eye if major violations of HIPAA Rules are discovered.
OCR has said that if serious violations are discovered a full compliance review may be triggered, and that may lead to the issuing of civil monetary penalties.
At present, OCR is collating and verifying contact information gathered from covered entities over the past few weeks. Questionnaires will shortly be sent out to gather further information which will be used to select entities for audits.
Covered entities should start preparing by compiling a list of all current business associates and locating all business associate agreements. Even if not selected for audit, OCR will require a current list of business associates to be supplied. For some covered entities that list may include thousands of vendors and may take some time to prepare.
Covered entities should also conduct an internal assessment of their compliance program and address any areas of concern. If selected for audit, staff will need to collect, collate, and upload documentation to the OCR auditing web portal. For some entities that may be a time-consuming process. Now is a good time to start developing a plan that can be put into action if the entity is selected for audit.
The new HIPAA audit protocol has been made available on the HHS website and can be viewed in this link
Criteria to be Assessed in the 2016 HIPAA Audits
Audit Type | Section | Established Performance Criteria |
Privacy | §164.502(a)(5)(i) | Prohibited uses and disclosures – Use and disclosure of genetic information for underwriting purposes |
Privacy | §164.502(f) | Deceased individuals |
Privacy | §164.502(g) | Personal representatives |
Privacy | §164.502(h) | Confidential communications |
Privacy | §164.502(i) | Uses and disclosures consistent with notice |
Privacy | §164.502(j)(1) | Disclosures by whistleblowers |
Privacy | §164.502(j)(2) | Disclosures by workforce members who are victims of a crime |
Privacy | §164.504(e) | Business associate contracts |
Privacy | §164.504(f) | Requirements for group health plans |
Privacy | §164.504(g) | Requirements for a covered entity with multiple covered functions |
Privacy | §164.506(a) | Permitted uses and disclosures |
Privacy | §164.506(b); (b)(1); and (b)(2) | Consent for uses and disclosures |
Privacy | §164.508(a)(1-3) and §164.508(b)(1-2) | Authorizations for uses and disclosures is required |
Privacy | §164.508(b)(3) | Compound authorizations — Exceptions |
Privacy | §164.508(b)(4) | Prohibition on conditioning of authorizations |
Privacy | §164.508(b)(6) and §164.508(c)(1-4) | Uses and Disclosures for which an Authorization is Required – Documentation and Content |
Privacy | §164.510(a)(1) and §164.510(a)(2) | Use and Disclosure for Facility Directories; Opportunity to Object |
Privacy | §164.510(a)(3) | Uses and Disclosures for Facility Directories in Emergency Circumstances |
Privacy | §164.510(b)(1) | Permitted uses and disclosures |
Privacy | §164.510(b)(2) | Uses and disclosures with the individual present |
Privacy | §164.510(b)(3) | Limited uses and disclosures when the individual is not present |
Privacy | §164.510(b)(4) | Uses and disclosures for disaster relief purposes |
Privacy | §164.510(b)(5) | Uses and disclosures when the individual is deceased |
Privacy | §164.512(a) | Uses and disclosures required by law |
Privacy | §164.512(b) | Uses and disclosures for public health activities |
Privacy | §164.512(c) | Disclosures about victims of abuse, neglect or domestic violence |
Privacy | §164.512(d) | Uses and disclosures for health oversight activities |
Privacy | §164.512(e) | Disclosures for judicial and administrative proceedings |
Privacy | §164.512(f)(1) | Disclosures for law enforcement purposes |
Privacy | §164.512(f)(2) | Disclosures for law enforcement purposes – for identification and location – |
Privacy | §164.512(f)(3) | Disclosures for law enforcement purposes– PHI of a possible victim of a crime |
Privacy | §164.512(f)(4) | Disclosures for law enforcement purposes– an individual who has died as a result of suspected criminal conduct |
Privacy | §164.512(f)(5) | Disclosures for law enforcement purposes: crime on premises |
Privacy | §164.512(f)(6) | Disclosures for law enforcement purposes |
Privacy | §164.512(g) | Uses and disclosures about decedents |
Privacy | §164.512(h) | Uses and disclosures for cadaveric organ, eye or tissue donation |
Privacy | §164.512(i)(1) | Uses and disclosures for research purposes — Permitted Uses and Disclosures |
Privacy | §164.512(i)(2) | Uses and disclosures for research purposes — Documentation of Waiver Approval |
Privacy | §164.512(k)(1) | Uses and disclosures for specialized government functions — Military |
Privacy | §164.512(k)(2) | Uses and disclosures for specialized government functions — National Security and intelligence activities |
Privacy | §164.512(k)(3) | Uses and disclosures for specialized government functions — Protective Services |
Privacy | §164.512(k)(4) | Uses and disclosures for specialized government functions — Medical Suitability Determinations |
Privacy | §164.512(k)(5) | Uses and disclosures for specialized government functions – Correctional institutions |
Privacy | §164.512(k)(6) | Uses and disclosures for specialized government functions – Providing public benefits |
Privacy | §164.512(l) | Disclosures for workers’ compensation |
Privacy | §164.514(b) & §164.514(c) | Requirements for De-Identification of PHI & Re-Identification of PHI |
Privacy | §164.514(d)(1)-§164.514(d)(2) | Standard: Minimum Necessary & Minimum Necessary Uses of PHI |
Privacy | §164.514(d)(3) | Minimum Necessary – Disclosures of PHI |
Privacy | §164.514(d)(4) | Minimum Necessary requests for protected health information |
Privacy | §164.514(d)(5) | Minimum Necessary – Other content requirement |
Privacy | §164.514(e) | Limited Data Sets and Data Use Agreements |
Privacy | §164.514(f) | Uses and Disclosures for Fundraising |
Privacy | §164.514(g) | Uses and Disclosures for Underwriting and Related Purposes |
Privacy | §164.514(h) | Verification Requirements |
Privacy | §164.520(a)(1) & (b)(1) | Notice of Privacy Practices |
Privacy | §164.520(c)(1) | Provisions of Notice – Health Plans |
Privacy | §164.520(c)(2) | Provisions of Notice – Certain Covered Health Care Providers |
Privacy | §164.520(c)(3) | Provision of Notice – Electronic Notice |
Privacy | §164.520(d) | Joint Notice by Separate Covered Entities |
Privacy | §164.520(e) | Documentation |
Privacy | §164.522(a)(1) | Right of an Individual to Request Restriction of Uses and Disclosures |
Privacy | §164.522(a)(2) | Terminating a Restriction |
Privacy | §164.522(a)(3) | Documentation |
Privacy | §164.522(b)(1) | Confidential Communications Requirements |
Privacy | §164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3) | Right to access |
Privacy | §164.524(d) (2) | Denial of Access |
Privacy | §164.524(a)(2) | Unreviewable grounds for denial |
Privacy | §164.524(a)(3) | Reviewable grounds for denial |
Privacy | §164.524(a)(4) & (d)(4) | Review of denial of access |
Privacy | §164.524(e) | Documentation |
Privacy | §164.526(a)(1) | Right to Amend |
Privacy | §164.526(a)(2) | Denying the Amendment |
Privacy | §164.526(c) | Accepting the Amendment |
Privacy | §164.526(d) | Denying the Amendment |
Privacy | §164.528(a) | Right to an Accounting of Disclosures of PHI |
Privacy | §164.528(b) | Content of the Accounting |
Privacy | §164.528(c) | Provision of the Accounting |
Privacy | §164.528(d) | Documentation |
Privacy | §164.530(a) | Personnel designations |
Privacy | §164.530(b) | Training |
Privacy | §164.530(c) | Safeguards |
Privacy | §164.530(d)(1) | Complaints to the Covered Entity |
Privacy | §164.530(d)(2) | Complaints to the Covered Entity |
Privacy | §164.530(e)(1) | Sanctions |
Privacy | §164.530(f) | Mitigation |
Privacy | §164.530(g) | Refraining from Intimidating or Retaliatory Acts |
Privacy | §164.530(h) | Waiver of rights |
Privacy | §164.530(i) | Policies and Procedures |
Privacy | §164.530(j) | Documentation |
Security | §164.306(a) | General Requirements |
Security | §164.306(b) | Flexibility of approach |
Security | §164.308(a) | Security Management Process |
Security | §164.308(a)(1)(ii)(A) | Security Management Process — Risk Analysis |
Security | §164.308(a)(1)(ii)(B) | Security Management Process — Risk Management |
Security | §164.308(a)(1)(ii)(C) | Security Management Process – Sanction Policy |
Security | §164.308(a)(1)(ii)(D) | Security Management Process –Information System Activity Review |
Security | §164.308(a)(2) | Assigned Security Responsibility |
Security | §164.308(a)(3)(i) | Workforce Security |
Security | §164.308(a)(3)(ii)(A) | Workforce security — Authorization and/or Supervision |
Security | §164.308(a)(3)(ii)(B) | Workforce security — Workforce Clearance Procedure |
Security | §164.308(a)(3)(ii)(C) | Workforce security — Establish Termination Procedures |
Security | §164.308(a)(4)(i) | Information Access Management |
Security | §164.308(a)(4)(ii)(A) | Information Access Management — Isolating Healthcare Clearinghouse Functions |
Security | §164.308(a)(4)(ii)(B) | Information Access Management — Access Authorization |
Security | §164.308(a)(4)(ii)(C) | Information Access Management — Access Establishment and Modification |
Security | §164.308(a)(5)(i) | Security Awareness and Training |
Security | §164.308(a)(5)(ii)(A) | Security Awareness and Training — Security Reminders |
Security | §164.308(a)(5)(ii)(B) | Security Awareness, Training, and Tools — Protection from Malicious Software |
Security | §164.308(a)(5)(ii)(C) | Security Awareness, Training, and Tools — Log-in Monitoring |
Security | §164.308(a)(5)(ii)(D) | Security Awareness, Training, and Tools — Password Management |
Security | §164.308(a)(6)(i) | Security Incident Procedures |
Security | §164.308(a)(6)(ii) | Security Incident Procedures — Response and Reporting |
Security | §164.308(a)(7)(i) | Contingency Plan |
Security | §164.308(a)(7)(ii)(A) | Contingency Plan – Data Backup Plan |
Security | §164.308(a)(7)(ii)(B) | Contingency Plan –Disaster Recovery Plan |
Security | §164.308(a)(7)(ii)(C) | Contingency Plan — Emergency Mode Operation Plan |
Security | §164.308(a)(7)(ii)(D) | Contingency Plan — Testing and Revision Procedure |
Security | §164.308(a)(7)(ii)(A) | Contingency Plan –Application and Data Criticality Analysis |
Security | §164.308(a) (8) | Evaluation |
Security | §164.308(b)(1) | Business Associate Contracts and Other Arrangements |
Security | §164.308(b)(3) | Business Associate Contracts and Other Arrangements — Written Contract or Other Arrangement |
Security | §164.310(a)(1) | Facility Access Controls |
Security | §164.310(a)(2)(i) | Facility Access Controls — Contingency Operations |
Security | §164.310(a)(2)(ii) | Facility Access Controls — Facility Security Plan |
Security | §164.310(a)(2)(iii) | Facility Access Controls — Access Control and Validation Procedures |
Security | §164.310(a)(2)(iv) | Facility Access Controls — Maintain Maintenance Records |
Security | §164.310(b) | Workstation Use |
Security | §164.310(c) | Workstation Security |
Security | §164.310(d)(1) | Device and Media Controls |
Security | §164.310(d)(2)(i) | Device and Media Controls — Disposal |
Security | §164.310(d)(2)(ii) | Device and Media Controls — Media Re-use |
Security | §164.310(d)(2)(iii) | Device and Media Controls — Accountability |
Security | §164.310(d)(2)(iv) | Device and Media Controls — Data Backup and Storage Procedures |
Security | §164.312(a)(1) | Access Control |
Security | §164.312(a)(2)(i) | Access Control — Unique User Identification |
Security | §164.312(a)(2)(ii) | Access Control — Emergency Access Procedure |
Security | §164.312(a)(2)(iii) | Access Control — Automatic Logoff |
Security | §164.312(a)(2)(iv) | Access Control — Encryption and Decryption |
Security | §164.312(b) | Audit Controls |
Security | §164.312(c)(1) | Integrity |
Security | §164.312(c)(2) | Integrity — Mechanism to Authenticate ePHI |
Security | §164.312(d) | Person or Entity Authentication |
Security | §164.312(e)(1) | Transmission |
Security | §164.312(e)(2)(i) | Transmission Security — Integrity Controls |
Security | §164.312(e)(2)(ii) | Transmission Security –Encryption |
Security | 164.314(a)(1) | Business Associate Contracts or Other Arrangements |
Security | 164.314(a)(2)(i)(A) | Business associate contracts |
Security | 164.314(a)(2)(i)(B) | Business associate contracts. |
Security | 164.314(a)(2)(i)(C) | Business associate contracts. |
Security | 164.314(a)(2)(ii) | Other Arrangements |
Security | 164.314(a)(2)(iii) | Business associate contracts with subcontractors |
Security | 164.314(b)(1) | Requirements for Group Health Plans |
Security | 164.314(b)(2)(i) | Group Heath Plan Implementation Specification |
Security | 164.314(b)(2)(ii) | Group Heath Plan Implementation Specification |
Security | 164.314(b)(2)(iii) | Group Heath Plan Implementation Specification |
Security | 164.314(b)(2)(iv) | Group Heath Plan Implementation Specification |
Security | §164.316(a) | Policies and Procedures |
Security | §164.316(b)(1) | Documentation |
Security | §164.316(b)(2) (i) | Documentation – Time Limit |
Security | §164.316(b)(2) (ii) | Documentation- Availability |
Security | §164.316(b)(2) (iii) | Documentation – Updates |
Breach | §164.414(a) | Administrative Requirements |
Breach | §164.530(b) | Training |
Breach | §164.530(d) | Complaints |
Breach | §164.530(e) | Sanctions |
Breach | §164.530(g) | Refraining from Retaliatory Acts |
Breach | §164.530(h) | Waiver of Rights |
Breach | §164.530(i) | Policies and Procedures |
Breach | §164.530(j) | Documentation |
Breach | §164.402 | Definitions: Breach – Risk Assessment |
Breach | §164.402 | Definitions: Breach – exceptions (unsecured PHI) |
Breach | §164.404(a) | Notice to Individuals |
Breach | §164.404(b) | Timeliness of Notification |
Breach | §164.404(c)(1) | Content of Notification |
Breach | §164.404(d) | Methods of Notification |
Breach | §164.406 | Notification to the Media |
Breach | §164.408 | Notification to the Secretary |
Breach | §164.410 | Notification by a Business Associate |
Breach | §164.412 | Law Enforcement Delay |
Breach | §164.414(b) | Burden of Proof |