The OCR has finally released a new protocol, entitled “Audit Protocol – Current” and one can’t be sure if this is indeed the promised “Phase 2” Audit Protocol, despite the mention that it has been “updated to reflect the Omnibus Final Rule.”  Honestly, if one of our customers hadn’t just received “the pre-audit screening questionnaire”, we might have thought it was just an update for which “feedback” was being requested. 

Adding to the confusion, is the depth and breadth of this “Current” audit criteria vs the previous messaging from OCR, which indicated that there would be the following focus:

2016 Covered Entity Desk Audit Scope

  • Security—Risk Analysis and risk management
  • Breach—Content and timeliness of breach notifications
  • Privacy—Notice of Privacy Practices and Access

2016 Business Associate Desk Audit Scope

  • Security—Risk Analysis and risk management

Breach—Breach reporting to covered entities

Although the audit inquiry and document review does cover those topics, it also covers much more, including: 72 standards and implementation specifications of the Security Rule, 89 of the Privacy Rule and 18 of the Breach Notification Rule. Hence, it is just as robust as those in Phase 1.

The pre-audit screening questionnaire is “intended to gather data about the size, types, and operations of potential auditees. The information gathered will be joined with additional data points to help select auditees that reflect a variety of types, sizes and locations for the next phase of the Audit Program.” Completing this exercise “does not mean your organization has been selected for an audit.” You’re just in the “pool.”

Organizations that are ultimately selected for an audit will be notified on a rolling basis. Those selected will have 10 business days to respond with the requested documentation, including a list of all current business associates with up-to-date contact information. OCR will use this information to compile a list of potential business associate subjects to audit and is encouraging entities to develop the business associate listing in advance to be able to meet the submission requirements.

The pre-screening questionnaire is comprised of four sections:

  • Primary Contact Information and Entity Type (health plan, provider, clearinghouse or business associate)
  • Secondary Contact Information
  • Basic Description Information about your Organization (private vs. public, single or multiple locations, affiliations)
  • Details related to Providers (type of provider, # patients, # beds, total revenue, EMR usage)

The letter containing the information regarding the questionnaire will provide a link to the “Audit Protocol – Current” and indicate that if selected for an audit, OCR will either:

  1. Conduct a focused desk audit to review documentation of evidence of compliance with selected provisions of the Rules; or
  2. Conduct a comprehensive on-site review of compliance with applicable requirements of the HIPAA Rules, or
  3. Follow up a desk audit with an onsite audit.

This leaves the door open for a separate compliance review IF serious compliance issues exist or a selected auditee fails to cooperate with an audit.

Clear as mud? It’s time to make sure your ducks are in a row!  Is your organization ready?


Clearwater Compliance

Clearwater Compliance helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.