The industry has been eager for the release of the OCR’s HIPAA Audit Protocol, and our wait is over. Today, without fanfare, OCR posted the protocol to its website.

All told, the protocol enumerates 165 areas of performance evaluation – 77 dedicated to the HIPAA Security Rule and 88 dedicated to the HIPAA Privacy and Breach Notification Rules. The protocol cites the specific section of the HIPAA Rules, the established performance criteria, the key activity and the audit procedures. As we experienced in working with our client, one of the first 20 organizations audited, the audit procedures are largely inquiries as to whether, first, policies and supporting documentation exist, and second, whether processes and practices consistent with those policies can be observed.

That said, for organizations looking for a better understanding of what constitutes acceptable performance, or ranges of acceptable performance as we often see in other types of industry audits, the published protocol may still leave the industry wanting for more explicit guidance.

For example, the single most significant HIPAA Security Rule finding of deficiency across the first 20 audits was in the area of user activity monitoring, as reported by OCR’s Linda Sanches at the OCR/NIST conference on June 6, 2012. In reviewing the audit protocol, here are some excerpts associated with user activity monitoring:

Performance Criteria: §164.308(a)(1)(ii)(D):Security Management Process – Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Key Activity: Develop and Deploy the Information System Activity Review Process

Audit Procedure: Inquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports. Obtain and review formal or informal policy and procedures and evaluate the content in relation to specified performance criteria to determine if an appropriate review process is in place of information system activities. Obtain evidence for a sample of instances showing implementation of covered entity review practices. Determine if the covered entity policy and procedures have been approved and updated on a periodic basis.

Performance Criteria: §164.312(b) Audit Controls – Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Key Activities: Determine the Activities that Will be Tracked or Audited, Select the Tools that Will be Deployed for Auditing and System Activity Reviews, Develop and Deploy the Information System Activity Review/Audit Policy, Develop Appropriate Standard Operating Procedures

Audit Procedure: 

Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ePHI.

Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information.

Inquire of management as to whether a formal or informal audit policy is in place to communicate the details of the entity’s audits and reviews to the work force. Obtain and review formal or informal policies and procedures and evaluate the content in relation to the specified criteria to understand whether a formal audit policy is in place to communicate the details of the entity’s audits and reviews to the work force. Obtain and review an email, or some form of communication, showing that the audit policy is communicated to the work force. Alternatively, a screenshot of the audit policy located on the entity’s intranet would suffice.

Inquire of management as to whether procedures are in place on the systems and applications to be audited and how they will be audited. Obtain and review management’s procedures in place to determine the systems and applications to be audited and how they will be audited.

While this information is certainly helpful, many of our clients want to know how many patient records they should be auditing, how many user accounts they should be auditing, how frequently audits should be conducted, what constitutes acceptable monitoring practice, etc. The performance criteria in the protocol are just not that specific, despite the industry’s desire for more explicit guidance.

Another area of deficiency that both OCR and KPMG have commented on publicly is the performance of risk assessment among the first 20 audited organizations. The protocol offers the following:

Performance Criteria: §164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(a) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Key Activity: Conduct Risk Assessment

Audit Procedure: Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

Again, so many of our clients want to understand what “periodic basis” really means. Is that annually? What kind of change in the environment necessitates an update in the risk assessment? One thing is clear from the audit procedure; covered entities need to know where ePHI is across the enterprise. This is not something that can be accomplished manually if the ePHI discovery is going to be accurate.

Over the coming days, there are sure to be many articles, editorials, discussions and blog posts about the protocol and how it can best be employed to help organizations improve their privacy and security program performance. We look forward to your questions and comments.

On the heels of our client’s audit, CynergisTek, in partnership with Davis Wright Tremaine partner, Adam Greene, established a portfolio of OCR audit readiness and investigation response services. Our team will go about the work of further mapping the content of the protocol to our many lessons already learned to best serve our clients and the industry at large.