If you haven’t reviewed them already, take a look at the audit protocols the Office for Civil Rights has posted for HIPAA security and privacy and HITECH breach compliance. According to the website, “OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.”
The HIPAA security protocol has 77 entries broken down by regulatory section for each of the administrative, physical, and technical safeguards. The table lists the regulatory sections, the performance criteria, the key activity, and the audit procedure. And the procedures all begin with “Inquire of management…” and then instruct the auditors to review relevant policies and procedures. The privacy and HITECH protocols are structured the same way as the security protocols and review (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. The first 10 entries address breach audit procedures; the remaining 78 address the HIPAA privacy requirements.
The posted protocols contain a significant amount of detail as to what auditors will request and review. While they may seem overwhelming, they are well worth review if for no other reason than to give your HIPAA/HITECH compliance program a thorough checkup. You also would be prepared if you are one of the lucky 95 covered entities/business associates OCR will audit this year. To what degree is your organization reviewing the protocols and for what purpose?