OCR Releases Protocol to Help Covered Entities Prepare for Phase 2 HIPAA Audits
The Office for Civil Rights (OCR) earlier this month released an updated audit protocol to help covered entities and their business associates document their compliance with the HIPAA Omnibus Final Rule. These audits, known as Phase 2, began in March when covered entities were notified of their selection via email or written letters.
OCR, which has also posted a pre-screening questionnaire (the document OCR uses to help determine its audit pool), and a sample template modeling how covered entities can list their business associates, noted that it would be accepting feedback on the protocol. This new protocol expands on the 2012 guidance that helped covered entities prepare for the first round of audits, which scrutinized compliance with HIPAA privacy, security, and breach notification rules. This update was necessary due to Phase 2’s added emphasis on business associates.
According to OCR, the protocol covers the following privacy rule areas:
- Privacy rule requirements for notice of privacy practices for protected health information
- Rights to request privacy protection for PHI; access of individuals to PHI
- Administrative requirements
- Uses and disclosures of PHI
- Amendment of PHI
- Accounting of disclosures
Additionally, if covers the following aspects of the security rule:
- Administrative, technical, and physical safeguards
- Requirements covered in the breach notification rule, as amended by the Omnibus Final Rule
Privacy attorney Kirk Nahra told the publication HealthcareInfo Security that the protocol, “is a very useful tool for any company to use in evaluating their overall compliance status and their ability to do well in an audit or investigation,” Nahra said. “It also will be very intimidating, as the protocol is incredibly detailed and granular, far beyond what many companies will have in place, particularly on elements that seldom come into play—for example policies relating to individuals who have been dead more than 50 years.”
While some experts have compared the document to an “open book test,” they warn that the process of preparing for an audit, as described in the protocol, could be overwhelming for small provider groups, according to a report from TechTarget.
What’s more, consultant David Holtzman, a former OCR senior advise, tells HealthcareInfo Security that the protocol might be cited as evidence that “the HIPAA rules are too complex and demanding for small healthcare providers and employer group health plans.”