As with most other Standards in the HIPAA Security Rule, there are explicit OCR Audit Protocols that address 45 CFR §164.308(a)(i) Security Incident Procedures. In this post, we detail the audit protocol and provide a link the “CMS Information Security – Incident Handling And Breach Analysis – Notification Procedure”. Here’s today’s big tip – Learn From CMS!
OCR HIPAA Audits Are Here (of Course!)
There’s Lots to from the Center for Medicaid and Medicare Services
First, here is the specific HIPAA Security Rule Standard and Implementation Specifications on Security Incident handling:
(6)(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents.
(ii) Implementation specification: Response and Reporting (Required).
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
Second, following are the elements of the OCR Audit Protocol as it relates to this requirement:
Established Performance Criteria:
§164.308(a)(6): Security Incident Procedures (§164.308(a)(6)(ii)) – Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
Develop and Implement Procedures to Respond to and Report Security Incidents.
- Inquire of management as to whether there are formal or informal policies and/or procedures in place for identifying, responding to, reporting, and mitigating security incidents.
- Obtain and review the formal or informal policies and procedures and determine if incident response procedures are in place.
- Obtain and review the formal or informal policies and/or procedures and determine if incident response procedures are updated on a periodic basis based on changing organizational needs.
- Obtain and review formal or informal documentation to determine if the incident response procedures have been communicated to appropriate entity personnel.
- Obtain and review formal or informal documentation of procedures and evaluate the content relevant to the specified criteria in place for conducting post-incident analysis.
- Obtain and review formal or informal documentation to determine if post-incident analyses have been conducted.
Recommended HIPAA Audit Prep next actions:
- Study the audit protocols and assess your compliance and audit readiness.
- If you need security incident procedures, consider one of our Policy and Procedure Toolkits
Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.
Wanna be even more ready for an audit or hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://www.twitter.com/ClearwaterHIPAA
- Subscribing to our eNewsletter: https://clearwatercompliance.com/newsletters/
- Attending a HIPAA HITECH live webinar: http://abouthipaa.com/webinars/upcoming-live-webinars/
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016