OCR Releases Protocol to Help Covered Entities Prepare for Phase 2 HIPAA Audits

The Office for Civil Rights (OCR) earlier this month released an updated audit protocol to help covered entities and their business associates document their compliance with the HIPAA Omnibus Final Rule. These audits, known as Phase 2, began in March when covered entities were notified of their selection via email or written letters.

OCR, which has also posted a pre-screening questionnaire (the document OCR uses to help determine its audit pool), and a sample template modeling how covered entities can list their business associates, noted that it would be accepting feedback on the protocol. This new protocol expands on the 2012 guidance that helped covered entities prepare for the first round of audits, which scrutinized compliance with HIPAA privacy, security, and breach notification rules. This update was necessary due to Phase 2’s added emphasis on business associates.

According to OCR, the protocol covers the following privacy rule areas:

  • Privacy rule requirements for notice of privacy practices for protected health information
  • Rights to request privacy protection for PHI; access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures

Additionally, if covers the following aspects of the security rule:

  • Administrative, technical, and physical safeguards
  • Requirements covered in the breach notification rule, as amended by the Omnibus Final Rule

Privacy attorney Kirk Nahra told the publication HealthcareInfo Security that the protocol, “is a very useful tool for any company to use in evaluating their overall compliance status and their ability to do well in an audit or investigation,” Nahra said. “It also will be very intimidating, as the protocol is incredibly detailed and granular, far beyond what many companies will have in place, particularly on elements that seldom come into play—for example policies relating to individuals who have been dead more than 50 years.”

While some experts have compared the document to an “open book test,” they warn that the process of preparing for an audit, as described in the protocol, could be overwhelming for small provider groups, according to a report from TechTarget.

What’s more, consultant David Holtzman, a former OCR senior advise, tells HealthcareInfo Security that the protocol might be cited as evidence that “the HIPAA rules are too complex and demanding for small healthcare providers and employer group health plans.”

1 Comment

  1. The new OCR HIPAA Audit protocol should be viewed as a welcomed change. The OCR has made the key performance indicators (KPIs) more clear – what practices are expected. Further, it has articulated, in fairly plain language, how it will evaluate performance with very specific and granular “audit inquiry” guidance. When combined with the abundance of practical content, FAQs and tools that the OCR has published in its blog series throughout 2016, it is much harder for an organization to attribute any potential deficiencies to the root cause that was cited over 50% of the time in the Phase I audits — “We did not understand the requirement.” The OCR has gone to great effort to deliver on its promise to learn from its audit and investigation experiences and translate that learning into tools for the industry.

    Whether you look at the Protocol like an open book test or a study guide, one thing should be clear. Every organization should put itself through a practice drill and the drill has to be a legitimate simulation, starting with testing the ability to respond to the requisite document request in 10 business days. If an organization finds itself unable to execute on this piece for any reason — documentation does not exist, distractions get in the way, stakeholders/document owners don’t take it seriously — perhaps a self-assessment is not the right way to practice. It is absolutely worth considering working with an expert third-party — sometimes that added “skin in the game” helps people take things more seriously. We have not worked with an organization yet that has been able to respond “thoroughly” to our mock documentation request when we have led these simulations for them.

    The stakes are high with these new desk audits. Many of them will lead to more invasive compliance reviews to be sure. The most important questions we ask the organizations that we work with are these — “Does your program documentation tell your compliance story? Does it reflect all of the hard work that you have put into HIPAA over the years? Do you have ‘documentation in depth’ so that evidence how you practice is clear beyond just your policies and procedures?”

    That is where we start and we think that is a good place for every organization to start. Start with the end in mind. In this case, a successful demonstration of both the “intent to comply” and the ‘evidence of compliance” should be in everyone’s sights.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *