OCR Updates Audit Protocol Emphasizing its Role for Compliance and Enforcement

September 5, 2018 David Holtzman

The US Department of Health and Human Services, Office for Civil Rights (OCR) has without fanfare updated its comprehensive audit protocol, making substantive changes to inquiries to demonstrate how an organization applies it workforce sanctions policy and more broadly, compliance with the Breach Notification Rule. Released in 2016 for use by HIPAA covered entities and business associates to prepare for the Phase 2 Audit Program, the Audit Protocol is now used by health care organizations, as well as OCR’s own investigators, to evaluate an organization’s compliance with the privacy, security and breach notification rules.

What are the Changes?

A survey of the more substantive changes:

Privacy Rule

Sanctions Policy

  • Does the covered entity apply appropriate sanctions to member of the workforce who fail to comply with the CE’s breach notification policies and procedures or the Breach Notification Rule?
  • Obtain and review the documentation of the application of the sanctions to a sample of breach notification incidents to determine if appropriate sanctions were applied.

Breach Notification Rule

  • Obtain a list of risk assessments conducted where the CE determined that the PHI was compromised and notification required under the BNR. Obtain and review all documentation associated with the conduct of the risk assessments. Assess whether the risk assessments were completed in accordance with the requirements of the BNR and the CE’s policies and procedures.
  • Inquire whether the CE has used a standard template or form letter for notification to breaches or specific types of breaches. If the CE has used such templates or form letters, obtain the documents and evaluate whether they meet the BNR’s required elements.
  • Obtain a list of breaches that occurred in the previous calendar year. Obtain and evaluate if the written notices sent to affected individuals of the first, five breaches contained the required content.
  • Did the Business Associate or Subcontractor (SC) determine that there way breaches of unsecured PHI within the previous calendar year? Has the BA notified the CE following its discovery of any breach, consistent with these requirements?
  • Obtain copies of all notifications sent by the BA or their SC to the covered entity (or BA for breaches by the SC) in the previous calendar year. Evaluate the content and timeliness for the first, five notifications made by the BA in the prior year. For example, review documentation of when the breach was discovered and the information that was subject to the breach. Determine if the notifications contain the required content.

What Action Should Organizations Take?

Healthcare provider practices, health plan administrators and business associates should prepare now so they’re ready if they are selected for a compliance review:

  • Review OCR’s audit protocol as well as the HIPAA and HITECH regulations
  • Make sure you have the latest guidelines, policies, and procedures in place
  • Ensure you have access to all required documentation to demonstrate that policies and procedures are being applied
  • Consider conducting a compliance assessment (either by internal staff or by a third-party specialist) to make sure you’re prepared for the real thing

CynergisTek has updated its toolkit to reflect the latest changes to the OCR Audit Protocol. Please contact us to receive a copy.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
Ohio Creates Incentives to Proactively Adopt Cybersecurity Programs
Ohio Creates Incentives to Proactively Adopt Cybersecurity Programs

A new Ohio law, the Data Protection Act, incentivizes businesses and not-for-profit organizations that proa...

Next Article
Incident Response Planning: Paying NOT to Play
Incident Response Planning: Paying NOT to Play

If you’re reading this, I probably don’t need to tell you that an incident response plan is the best way to...


Subscribe to Our Monthly Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Thank You!
Error - something went wrong!