HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol

A quick look at the “Current Protocol” reveals greater coverage of the regulations and more in-depth inquiries and documentation review, but the details provide even bigger surprises.  OCR isn’t kidding about the need for greater information security and formal risk management processes.

What’s New in the Current Protocol

OCR Audit Protocol Risk ManagementTo begin with, OCR didn’t even have an Audit Inquiry for Risk Management (§164.308(a)(1)(ii)(B)) in the 2012 Audit Protocol – Well, now they do! Not only will the auditors be looking for policies and procedures for a risk management process, but also the details of how risk will be managed, by whom, how often and documentation of management’s acceptable level of risk. In addition, they will want evidence that security measures have been implemented as a result of that risk analysis and that those measures are sufficient to mitigate or remediate identified risks to an acceptable level according to the risk rating.

Here’s another 2016 Audit Inquiry that wasn’t included in 2012 and involves advanced risk management thinking: Assess the criticality of specific applications and data in support of other contingency plan components (§164.308(a)(7)(ii)(E)). Following a review of the policies and procedures for assessing application and data criticality analysis, the auditors will then review the list of critical ePHI applications and their assigned criticality levels which “should have been categorized based on importance to business needs or patient care, in order to prioritize for data backup, disaster recovery, and emergency operations plans.”

Another Security Rule implementation specification that wasn’t included in 2012 and which requires some risk management forethought: evidence of a Facility Security Plan (§164.310(a)(2)(ii)). Instructions to the auditors in the 2016 Audits: “Elements to review may include but are not limited to:

  • Identification of the physical security measures in place to provide physical security protection for facilities and equipment
  • Workforce members’ roles and responsibilities regarding the facility security plan
  • Inventory of the entity’s facilities that house equipment that create, maintain, receive, and transmit ePHI.”

Deeper Dive

Even for those requirements that are covered in both 2012 Phase 1 and Current Protocols, the audit processes associated with risk management have become significantly more comprehensive.  Take for example, Risk Analysis: the conduct of an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI (§164.308(a)(1)(ii)(A)).  We’ve heard former OCR director, Leon Rodriquez, and current OCR director, Jocelyn Samuels, frequently emphasize the need for formal Risk Analysis and the lack thereof as evidenced in almost 75% of Settlement Agreements to date.  Now, in addition to looking for the who, what and how in the policies and procedures, auditors will be requesting evidence of management’s involvement in determining an acceptable level of risk, risk-rating registers, and a determination of the sufficiency of security measures put in place for mitigating or remediating identified risks.

Less Inquiry, More Audit

Gone are the days of “formal or informal” policies and procedures. Gone too are many of the “Inquire of Management….” to be replaced with “Analyze” and “Determine.” Consider, for example, the Audit Inquiry for Evaluation (§164.308(a)(8)) where auditors will “Evaluate and determine if such [technical and non-technical] evaluations appropriately evaluate ePHI security measures; addresses evaluation findings associated with noncompliant security measures; identifies and measures risks associated with noncompliant security measures; and that evaluation findings are reviewed and certified by appropriate management.”

And yet another example, “Sanctions” (§164.308(a)(1)(ii)(C)) where auditors will “Evaluate and determine whether appropriate sanctions were applied for workforce members that failed to comply with security policies and procedures.”

It looks like the gloves are coming off with the 2016 OCR Audit Protocol.

HIPAA Risk Analysis Resources Available to You

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Risk Analysis Tip – New HHS Risk Assessment Tool – Much Ado About Nothing

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.