At the beginning of the month, the Department of Health and Human Services Office for Civil Rights (OCR) let out a redone audit protocol, which addresses the requirements of the 2013 Omnibus Final Rule. OCR will use the audit protocol to commence its approaching phase 2 audits, which will be performed for covered entities and business associates starting next month.
The protocol provides coverage to the following subject areas.
- Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- Security Rule requirements for administrative, physical, and technical safeguards.
- Breach Notification Rule requirements.
OCR has also let out other materials, which reveal more of the auditing process logistics, which includes a copy of the Audit Pre-Screening Questionnaire that it will use to the gather demographic information relating to covered entities and business associates. OCR will then make use of the data to set out a pool of potential parties to audit.
OCR will require entities chosen for the audit to show and provide detailed information about their business associates. Data that is collected by OCR will be used to sort out business associates for the Phase 2 audits. OCR has let out a template, which contains the information that covered entities will need to bring up, and that includes the name of the business associate, as well as contact info, and type of services and website.
Entities and businesses with coverage should make sure that they have all the required compliance documents and materials at the ready. If you check the aggressive timetable for the OCRs and picked an audit, the auditee would only have 10 days to make a response to the OCR.
The audit protocol is one of the best HIPAA compliance tools, mainly for audit readiness assessment. The main problem here is that the version provided on the OCR website is commonly found to be hard to use in practice.