The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016
OCR Releases Updated Audit Protocol
The new audit protocol represents the agency’s effort to provide a more comprehensive and detailed guide to OCR’s enforcement and audit approach. The protocol has been expanded to cover more HIPAA provisions than the one used during Phase 1 audits. In addition, the documentation requirements associated with specific HIPAA provisions now frequently include a list of specific criteria that will be considered in evaluating compliance with that provision.
OCR kicked off the Phase 2 audit program last month, and has been contacting covered entities and business associates that are candidates for inclusion in the Phase 2 HIPAA audits in order to obtain and verify contact information. OCR has put covered entities on notice that they should be on the lookout for this communication (e.g., checking junk or spam email folders for emails from OSOCRAudit@hhs.gov). Once contact information is verified, the agency will distribute short questionnaires, seeking additional business information about potential audit candidates (e.g., number of locations, number of hospital beds, list of business associates). Upon compiling that information, the agency will select which entities it will audit. OCR has stated that it will not audit entities with an open OCR HIPAA investigation or that are currently undergoing a compliance review.
The Phase 2 audits will be primarily “desk audits,” in which entities will be required to submit documentation electronically, in accordance with tight deadlines (expected to be ten business days). Additionally, OCR has suggested that there may be a limited number of on-site audits included as part of Phase 2. The agency has not yet determined whether entities subject to such audits will be pulled from the pool of entities subject to desk audits or from the broader pool of potential audit candidates the agency has identified.