As promised in its announcement of phase 2 HIPAA compliance audits (see our Checkpoint article), HHS’s Office for Civil Rights (OCR) has released an updated audit protocol addressing requirements under the privacy, security, and breach notification rules that will be assessed through OCR’s upcoming audits of covered entities and business associates. The protocol identifies sections of the applicable rules, established performance criteria under each rule, and the inquiries auditors will make to evaluate compliance. Auditors will rely on documents and other items furnished by covered entities and business associates in response to document requests; materials generally must be the versions in use as of the date of the audit notification and document request. However, in some cases, prior versions may be requested—for example, to verify that documents were properly updated to reflect legal changes made by the HITECH Act. The protocol includes numerous references to “information systems,” which are defined to include hardware, software, information, data, applications, communications, and people—indicating the anticipated breadth of the audits’ scope.
OCR has also updated its audit program webpage with a link to its audit pre-screening questionnaire, which will be sent by OCR to pools of covered entities and business associates to help identify candidates for audit. The questionnaire includes general questions about the respondent (for example, whether it is affiliated with a larger organization) and then specific questions for different types of covered entities and for business associates. Health plans are asked whether they are responding as a “group health plan sponsor” (and, if so, whether they receive only summary data from the health plan), the number of plan members, total “revenue” and the average number of claims processed monthly in the most recent fiscal year, and whether a TPA performs most health plan functions (with identifying information, if the answer is yes). Business associates are asked information about the extent of their HIPAA-governed operations and whether they maintain or transmit electronic protected health information (PHI). The audit program page also includes a sample template for disclosing information about business associates.
EBIA Comment: OCR’s public release of the pre-screening questionnaire is welcome—covered entities and business associates can review the questionnaire now and compile responsive information in case they receive a questionnaire from OCR. (Remember that the questionnaire is likely to arrive via email—check your spam folder!) The audit protocol touches on a number of themes highlighted in recent resolution agreements, including comprehensive risk analyses (see our Checkpoint article); business associate contracts (see our Checkpoint article); authorizing, terminating, and monitoring access to PHI (see our Checkpoint article); periodic security updates (see our Checkpoint article); and breach-related policies and procedures (see our Checkpoint article). Although the probability of any particular covered entity or business associate being audited is small, prudence argues in favor of reviewing the audit protocol and using it as a compliance check-up. Forewarned is forearmed—it will be too late to start preparing responsive documents after an audit notification is received. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XX.C (“HIPAA Compliance Audits by HHS”).
Contributing Editors: EBIA Staff.