HIPAA Audit Report Gives Providers New Roadmap to Compliance

In late June 2012, the Department of Health and Human Services Office for Civil Rights published its long-awaited HIPAA compliance audit protocol.

For covered entities and business associates, the protocol serves as a roadmap of practices and procedures that help ensure compliance and avoid fines and other sanctions. Law firm Mintz Levin:

“The protocol addresses 165 performance criteria, 77 of which focus exclusively on compliance with the Security Rule, and 88 in combination that deal with Breach Notification and Privacy Rule requirements… All covered entities, particularly small providers (who historically have constituted a high proportion of HIPAA violations), should take the opportunity to use the audit protocols as a guide to draft or revamp their HIPAA compliance policies and procedures as well as to devise a plan of action to respond to audits in an organized and comprehensive manner.” (HIPAA Audit Protocols Now Public)

For your reference, three takeaways from the protocol:

1. Document, document, document:

“Unsurprisingly, the protocols demonstrate a clear bias towards extensive documentation, both in terms of written policy documents and in terms of documentation of risk assessments, compliance activities, training programs, and even documentation of decisions not to take certain compliance or security steps.” (Recently Released HIPAA Audit Protocol Offers Insight As to Audit Priorities, Best Practices by Ober|Kaler)

2. Different entities are likely to be held to different standards:

“OCR noted that the combination of these multiple requirements may vary based on the type of covered entity selected for review. According to the information made available about the initial test phase of the Audit program, OCR is targeting a wide array of covered entities, including health plans, clearinghouses, and health care providers. Among the health care providers, OCR audited several types of providers, including physician practices, hospitals, a laboratory, a dental practice, a nursing and custodial facility, and a pharmacy.” (OCR Releases Protocol for HIPAA Privacy, Security and Breach Notification Audits by Ropes & Gray LLP)
3. Some questions remain unanswered:

“The audit protocol, however, … does not provide much detail as to the standards against which the audited entity is being judged. For example, with respect to the Privacy Rule’s requirement for administrative, technical, and physical safeguards, the audit procedures require the auditor to “[o]bserve and verify whether the safeguards in place are appropriate.” However, it remains unclear what safeguards are appropriate.” (HIPAA News: The Good, the Bad, and the Ugly by Davis Wright Tremaine LLP)

Additional HIPAA Audit Program Updates:

Follow the JD Supra @HIPAAWatch feed on Twitter>>