OCR has published the audit protocols for the HIPAA Security and Privacy and HITECH Breach Notification Rules. Our analysis is underway as we incorporate these OCR audit elements into our HIPAA Security Assessment SaaS solution and other assessment tools. Here’s today’s big tip – Learn the protocols and the emphasis on 45 CFR 164.308(a)(8) Evaluation Standard…
HITECH Act – SECTION 13411. AUDITS
As we all know by now (unless you’ve just returned from a 4-year inter-planetary space mission), in a single sentence in the The Health Information Technology for Economic and Clinical Health (HITECH) Act, mandatory audits of Covered Entities’ and Business Associates’ compliance with HIPAA and HITECH came to be.
“The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.”
OCR Audit Protocol Includes Some “Hyper-Vigilance”
OCR has published these audit protocols and they are… well… interesting! Our analysis is underway and I’ll post some thoughts along the way. In some areas, the protocols seem to be spot on, in others lacking and in some, “hyper-vigilant”. Sometimes the “hyper-vigilance” makes sense; e.g., the Access Control (Technical Safeguard) is covered very thoroughly and this great makes sense because in many organizations “Access Control” is out of control.
Rigorous Coverage of “Evaluation” or HIPAA Compliance Assessment
One the areas that pleasantly surprised me is the coverage of Evaluation (Administrative Safeguard) at 45 CFR 164.308(a)(8):
“Perform a periodic technical and non technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”
Few organizations have performed such an Evaluation or compliance assessment properly. In fact, consider these five specific audit points related to the HIPAA Security Assessment or Evaluation, straight from the audit protocol:
OCR Audit Established Performance Criteria:
§164.308(a)(8) Evaluation – Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.
OCR Audit Key Activity 1:
Determine Whether Internal or External Evaluation Is Most Appropriate.
OCR Audit Protocol Procedures 1:
Inquire of management whether evaluations are conducted by internal staff or external consultants. Obtain and review a sample of evaluations conducted within the audit period to determine whether they were conducted by internal staff or external consultants. For evaluations conducted by external consultants, determine if an agreement or contract exists and if it includes verification of consultants’ credentials and experience. For evaluations conducted by internal staff, determine if the documentation covers elements from the specified performance criteria.
OCR Audit Key Activity 2:
Develop Standards and Measurements for Reviewing All Standards and Implementation Specifications of the Security Rule.
OCR Audit Protocol Procedures 2:
Inquire of management as to whether policy and procedures exist to ensure an evaluation considers all elements of the HIPAA Security Rule. Obtain and review policy and procedures used and evaluate the content in relation to the specified criteria. Determine if the process has been approved and updated on a periodic basis as required.
OCR Audit Key Activity 3:
OCR Audit Protocol Procedures 3:
Inquire of management as to whether policy and procedures exist to ensure all necessary information needed to conduct an evaluation is obtained and documented in advance. Obtain and review the evaluation process in place in relation to the specified criteria. Determine if the policy and procedures have been approved and updated on a periodic basis.
OCR Audit Key Activity 4:
OCR Audit Protocol Procedures 4:
Inquire of management as to whether formal or informal policy and procedures exist to document the evaluation of findings, remediation options and recommendations, and remediation decisions. Obtain and review formal or informal policy and procedures used to document the evaluation of findings, remediation options and recommendations, and remediation decisions in relation to the specified criteria. Determine if written reports of findings are reviewed and approved.
OCR Audit Key Activity 5:
Repeat Evaluations Periodically.
OCR Audit Protocol Procedures 5:
Inquire of management as to whether formal or informal security policies and procedures specify that evaluations will be repeated when environmental and operational changes are made that affect the security of ePHI. Obtain and review the entity’s formal or informal security policies and procedures and evaluate the content in relation to the specified criteria to determine the process for repeat evaluations. Determine if formal or informal security policies and procedures are reviewed on a periodic basis.
All of these and other audit points have been designed into our security assessment software. If you’re considering tools and approaches to reinvigorate your compliance program, we encourage you to take the guided tour of this powerful software solution.
Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.
More HIPAA HITECH Resources:
- Join our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Follow me: http://www.twitter.com/ClearwaterHIPAA
- Subscribe to our eNewsletter: http://clearwaterc.wpengine.com/newsletters/
- Attend a HIPAA HITECH live webinar: http://clearwaterc.wpengine.com/live-educational-webinars
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017
- HIPAA Risk Analysis Tip – May 3rd Webinar with Leon Rodriguez – What OCR Expects in Your HIPAA Risk Analysis - April 9, 2017