FacebookTwitterLinkedInEmailPrint
This entry is part 12 of 27 in the series HIPAA Audit Tips

As with most other Standards in the HIPAA Security Rule, there are explicit OCR Audit Protocols  that address 45 CFR §164.308(a)(i) Security Incident Procedures.  In this post, we detail the audit protocol and provide a link the “CMS Information Security – Incident Handling And Breach Analysis – Notification Procedure”.  Here’s today’s big tip – Learn From CMS!

OCR HIPAA Audits Are Here (of Course!)

There’s Lots to from the Center for Medicaid and Medicare Services

First, here is the specific HIPAA Security Rule Standard and Implementation Specifications on Security Incident handling:

(6)(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents.

(ii) Implementation specification: Response and Reporting (Required).
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

Second, following are the elements of the OCR Audit Protocol as it relates to this requirement:

Established Performance Criteria:
§164.308(a)(6): Security Incident Procedures (§164.308(a)(6)(ii)) – Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

Key Activity:
Develop and Implement Procedures to Respond to and Report Security Incidents.

Audit Procedures:

  1. Inquire of management as to whether there are formal or informal policies and/or procedures in place for identifying, responding to, reporting, and mitigating security incidents.
  2. Obtain and review the formal or informal policies and procedures and determine if incident response procedures are in place.
  3. Obtain and review the formal or informal policies and/or procedures and determine if incident response procedures are updated on a periodic basis based on changing organizational needs.
  4. Obtain and review formal or informal documentation to determine if the incident response procedures have been communicated to appropriate entity personnel.
  5. Obtain and review formal or informal documentation of procedures and evaluate the content relevant to the specified criteria in place for conducting post-incident analysis.
  6. Obtain and review formal or informal documentation to determine if post-incident analyses have been conducted.

Recommended HIPAA Audit Prep next actions:

  1. Study the audit protocols and assess your compliance and audit readiness.
  2. If you need security incident procedures, consider one of our Policy and Procedure Toolkits

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – OCR Audit Protocol – Risk AnalysisHIPAA Audit Tips – Learn From Latest HHS/OCR Settlement Agreement and CAP >>

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.
 
FacebookTwitterLinkedInEmailPrint