OCR Issues New Audit Protocols Tailored to Desk Audits, Not Necessarily to Design and Implementation of Policies and Procedures

compliance audit

compliments of globe-net.com

April 15, 2016. On April 1, 2016, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Resources (HHS) published on its Website the long-awaited Audit Protocol-Current, which describes its intent as:

“The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

 

  • The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The protocol covers Security Rule requirements for administrative, physical, and technical safeguards
  • The protocol covers requirements for the Breach Notification Rule.”

 

The Audit Protocol-Current reflects provisions of the HITECH Act Modifications of HIPAA Rules that required compliance by covered entities and business associates by September 23, 2013.

 

These protocols are designed to inform selected covered entities and business associates for audit, initially desk audit, of the content auditors seek that must be reflected in policies and procedures. The Website goes on to present clarifying information in general instructions:

 

  • Entity means “both covered entities and business associates unless identified as one or the other.”
  • Management means “appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards.”
  • The auditor “will be provided certain documents and items for review; not necessarily all policies and procedures.”
  • “Unless otherwise specified, all document requests are for versions in use as of date of the audit notification and document request.”
  • “Unless otherwise specified, selected entities should submit documents via OCR’s secure online Web portal in pdf, MS Word, or MS Excel formats.”
  • “If the request number of documentations of implementation is not available, the entity must provide instances from previous years to complete the sample. If no documentation is available, the entity must provide a statement to that effect.” [Note: the HIPAA documentation standards require archiving of documents for 6 years from last action.]
  • Workforce members means “ entity employees, contractors, students, and volunteers.
  • Information systems means hardware, software, information, data, applications, communications, and people.

 

With regard to safeguard policies and procedures, the HITECH Act Modifications of HIPAA Privacy Administrative Requirements, and HIPAA Security and HITECH Act Breach Notification provisions were non-substantive except in two significant instances: (1) expansion of business associates to include subcontractors and requirement that business associates implement the HIPAA Security Rule; and (2) breach notification changed from a harm to a probability standard and a presumption that notification was required unless demonstrated otherwise by a risk analysis based on specific factors.

 

Aside from those two instances, the earlier audit protocols were more tailored to designing and implementing policies and procedures whereas the current audit protocols are more suited to OCR’s sample design. Below we show the new current OCR audit protocol for 45 CFR 164.530g: Refraining from Intimidating or Retaliatory Acts, whose provisions apply to both the HIPAA Privacy Rule and the HITECH Act Breach Notification Rule, but for which there are separate audit protocols: one for Breach and one for Privacy. Then, we show the original OCR audit protocol that covered both Privacy and Breach in a single protocol, which much more realistically mirrors a single policy/procedure combination reflective of the CFR specification.

 

New OCR Audit Protocol

Breach

Key Activity. 164.530(g)
 Refraining from Retaliatory Acts.
 All covered entities must have policies and procedures in place to prohibit retaliatory acts.

Established Performance Criteria. 164.530(g) – Refraining from Retaliatory Acts. Does the covered entity have appropriate policies and procedures in place to prohibit retaliation against any individual for exercising a right or participating in a process (e.g., assisting in an investigation by HHS or other appropriate authority or for filing a complaint) or for opposing an act or practice that the person believes in good faith violates the Breach Notification Rule? Obtain and review such policies and procedures.

Audit Inquiry. 164.530(g) – Refraining from Retaliatory Acts. Does the covered entity have appropriate policies and procedures in place to prohibit retaliation against any individual for exercising a right or participating in a process (e.g., assisting in an investigation by HHS or other appropriate authority or for filing a complaint) or for opposing an act or practice that the person believes in good faith violates the Breach Notification Rule? Obtain and review such policies and procedures.

Privacy

Key Activity. Refraining from Intimidating or Retaliatory Acts.

Established Performance Criteria. 164.530(g) Standard: Refraining from intimidating or retaliatory acts. A covered entity—
(1) May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by this subpart or subpart D of this part, including the filing of a complaint under this section; and (2) must refrain from intimidation and retaliation as provided in 160.316.

Audit Inquiry. Has the covered entity implemented policies and procedures addressing the prevention of intimidating or retaliatory actions against any individual for the exercise by the individual of any right established, or for participation in any process provided, for filing complaints against the covered entity? Obtain and review policies and procedures in place to determine if anti-intimidation and anti-retaliatory standards exist. Obtain and review documentation that the policies and procedures are conveyed to the workforce.

Original OCR Audit Protocol

Key Activity. Refraining from Intimidating or Retaliatory Acts.

Established Performance Criteria. 164.530(g) Standard: Refraining from intimidating or retaliatory acts. A covered entity—
(1) May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by this subpart or subpart D of this part, including the filing of a complaint under this section; and (2) must refrain from intimidation and retaliation as provided in 160.316.

Audit Procedures. Inquire of management as to whether policies and procedures exist preventing intimidating or retaliatory actions against any individual for the exercise by the individual of any right established, or for participation in any process provided, for filing complaints against the covered entity. Obtain and review policies and procedures in place and evaluate the content relative to the specified criteria to determine if anti-intimidation and anti-retaliatory standards exist. Obtain and review evidence that the policies and procedures are updated appropriately and conveyed to the workforce.

HIPAA Integrity’s Safeguard Compliance Tool Package (Version 3.0) is designed for covered entities and business associates to document and successfully demonstrate safeguard compliance for either a potential selection for an OCR desk or onsite audit or for providing evidence to cyber insurance underwriters of a security management process and security measures in place. HIPAA Integrity is comprised of an easy-to-follow tabular risk analysis template; 92 written generic HIPAA Privacy Administrative Requirement, and HIPAA Security and HITECH Act Breach Notification safeguard policies and procedures that a covered entity or business associate must have in place and that can readily be tailored to its risk analysis findings; 22 authorization and maintenance forms accompanying safeguard procedures; and the safeguard training curriculum in five lessons with test questions for administration by Privacy and Security Officials to their workforce members. Each component of the package is linked via proprietary code and written in plain language. HIPAA Integrity also includes guidance, online accessible authoritative references, and OCR audit protocols. At an affordable $499 for a year’s membership, including any federal regulatory updates and version changes, HIPAA Integrity’s Safeguard Compliance Tool Package (Version 3.0) is a much more cost-effective option than being selected for an OCR desk audit and found non-compliant or rejected for cyber insurance coverage and having to deal with the financial and non-financial consequences of a privacy breach or security incident.

Categories



Archives

  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)