ARTICLE
22 April 2016

OCR Releases New HIPAA Audit Protocol And Other Audit-Related Materials

M
Mintz

Contributor

Mintz logo
Mintz is a general practice, full-service Am Law 100 law firm with more than 600 attorneys. We are headquartered in Boston and have additional US offices in Los Angeles, Miami, New York City, San Diego, San Francisco, and Washington, DC, as well as an office in Toronto, Canada.
Explore Firm Details
Earlier this month the Department of Health and Human Services Office for Civil Rights released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule.
United States Food, Drugs, Healthcare, Life Sciences
Photo of Dianne J. Bourque
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Earlier this month the Department of Health and Human Services Office for Civil Rights (OCR) released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.

The protocol covers the following subject areas:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Breach Notification Rule requirements.

OCR has also released other materials that shed light on the logistics of the audit process, including a copy of the Audit Pre-Screening Questionnaire that it will use to collect demographic information about covered entities and business associates. OCR will use this information to create a pool of potential auditees.

Entities selected for audit will be required by OCR to identify and provide detailed information regarding their business associates. The information collected by OCR will be used to help identify business associates for the Phase 2 audits. OCR has released a template with the information that covered entities will have to provide, including the business associate's name, contact information, type of services, and website.

Covered entities and business associates should be working to ensure that they have the required compliance documents and materials ready, especially given OCR's aggressive timetable: if selected for an audit, an auditee will have only 10 days to respond to OCR.

As we have discussed previously on this blog, the audit protocol is an excellent HIPAA compliance tool, especially for audit readiness assessment. Unfortunately, the version of the tool on the OCR website can be unwieldy to use in practice. In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Dianne J. Bourque
Dianne J. Bourque
Person photo placeholder
Jordan Cohen
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More