OCR Updates Audit Protocol Emphasizing its Role for Compliance

  • HIPAA Regulations

The US Department of Health and Human Services, Office for Civil Rights (OCR) has without fanfare updated its comprehensive audit protocol, making substantive changes to inquiries to demonstrate how an organization applies it workforce sanctions policy and more broadly, compliance with the Breach Notification Rule. Released in 2016 for use by HIPAA covered entities and business associates to prepare for the Phase 2 Audit Program, the Audit Protocol is now used by health care organizations, as well as OCR’s own investigators, to evaluate an organization’s compliance with the privacy, security and breach notification rules.

What are the Changes?

A survey of the more substantive changes:

Privacy Rule

Sanctions Policy

  • Does the covered entity apply appropriate sanctions to member of the workforce who fail to comply with the CE’s breach notification policies and procedures or the Breach Notification Rule?
  • Obtain and review the documentation of the application of the sanctions to a sample of breach notification incidents to determine if appropriate sanctions were applied.

Breach Notification Rule

  • Obtain a list of risk assessments conducted where the CE determined that the PHI was compromised and notification required under the BNR. Obtain and review all documentation associated with the conduct of the risk assessments. Assess whether the risk assessments were completed in accordance with the requirements of the BNR and the CE’s policies and procedures.
  • Inquire whether the CE has used a standard template or form letter for notification to breaches or specific types of breaches. If the CE has used such templates or form letters, obtain the documents and evaluate whether they meet the BNR’s required elements.
  • Obtain a list of breaches that occurred in the previous calendar year. Obtain and evaluate if the written notices sent to affected individuals of the first, five breaches contained the required content.
  • Did the Business Associate or Subcontractor (SC) determine that there way breaches of unsecured PHI within the previous calendar year? Has the BA notified the CE following its discovery of any breach, consistent with these requirements?
  • Obtain copies of all notifications sent by the BA or their SC to the covered entity (or BA for breaches by the SC) in the previous calendar year. Evaluate the content and timeliness for the first, five notifications made by the BA in the prior year. For example, review documentation of when the breach was discovered and the information that was subject to the breach. Determine if the notifications contain the required content.

What Action Should Organizations Take?

Healthcare provider practices, health plan administrators and business associates should prepare now so they’re ready if they are selected for a compliance review:

  • Review OCR’s audit protocol as well as the HIPAA and HITECH regulations
  • Make sure you have the latest guidelines, policies, and procedures in place
  • Ensure you have access to all required documentation to demonstrate that policies and procedures are being applied
  • Consider conducting a compliance assessment (either by internal staff or by a third-party specialist) to make sure you’re prepared for the real thing

CynergisTek has updated its toolkit to reflect the latest changes to the OCR Audit Protocol. Please contact us to receive a copy.

September 5th, 2018|

About the Author:

David Holtzman
Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.