OCR issues audit protocol and targets over 800 entities—business associates too

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

The Office for Civil Rights (OCR) has issued its revamped audit protocol for its second phase of auditing covered entities and business associates’ compliance with the HIPAA Privacy, Security and Breach Notification Rules.

The lengthy audit protocol is posted on the OCR website. It provides general instructions, and then cites each statutory section of the Privacy, Security and Breach Notification Rules that will be covered by the audit. For instance, pursuant to 45 C.F.R. Section 164.510(b), the OCR will look at “What policies and procedures exist for disclosing PHI to family members, relatives, close personal friends, or other persons identified by the individual?” and will “Obtain and review policies and procedures for such disclosures.”

An example of a question related to compliance with the Security Rule is 45 C.F.R. Section 164.308(a)(5)(i) “Does the entity have policies and procedures in place regarding a security awareness and training program? Does the entity provide security awareness and training to all new and existing members of its workforce? Obtain and review policies and procedures for security awareness and training program.” The documents the OCR mention include obtaining the training materials to determine if they are “reasonable and appropriate for workforce members to carry out their functions” and “Obtain and review documentation demonstrating that the security awareness and training programs are provided to the entire organization and made available to independent contractors and business associates, if appropriate.”

In the section outlining the review of breach notification compliance, the OCR indicates that if a covered entity or business associate determined that an acquisition, access, use or disclosure of PHI did not require notification, “did the covered entity or business associate determine that one of the regulatory exceptions…apply? If yes, obtain documentation of such determination.”

The OCR has been warning covered entities and business associates about the new phase of audits for over a year. Now that we have the protocol, it can be used as a road map for preparing for an audit, or getting compliance in order.

We are hearing through the grapevine that over 800 covered entities and business associates will get the “letter” from the OCR to start the audit process. If you get the letter (which the OCR says you will not get if there is a pending investigation), get ready. If you don’t get the letter in this wave, still, get ready. Use the roadmap as guidance that we rarely get from the OCR.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide