HIPAA Audit Protocol Revealed

Lists 165 Areas of Performance Evaluation

By , June 26, 2012.
HIPAA Audit Protocol Revealed

The Department of Health and Human Services' Office for Civil Rights has published the official protocol for ongoing HIPAA compliance audits, offering a detailed breakdown of audit procedures.

See Also: Fighting Financial Fraud: Mitigation for Malware, Phishing & DDoS Attacks

The protocol, which the consulting firm KPMG is using to conduct the audits for OCR, includes 77 areas of evaluation for the HIPAA Security Rule and 88 for the HIPAA Privacy Rule and HIPAA Breach Notification Rule.

OCR has announced it plans to have KPMG conduct a total of 115 compliance audits this year under a program mandated by the HITECH Act. The first 20 audits are complete. OCR has selected 95 other organizations that will be audited, but notifications will be issued in phases (see: HIPAA Audits: A Progress Report).

In a recent presentation, Linda Sanches, senior adviser and health information privacy lead at OCR, said the first 20 audits showed that more organizations had trouble with security compliance than privacy compliance, and smaller organizations had more difficulties than larger ones (see: HIPAA Audits: A Preliminary Analysis).

Reaction to Protocols

Adam Greene, a partner at the law firm Davis, Wright Tremaine who formerly worked at OCR, says the protocols should not only help audited entities better understand what OCR is looking for during a HIPAA audit, but also provide assistance for self-assessments.

"This is a valuable tool for self audits and [for identifying] implementation gaps," he says. "Even if you're never chosen for an audit, if you use these tools for self-assessments, you're better positioned to defend yourself against [HIPAA] complaint investigations."

But a preliminary analysis of the audit protocols from consulting firm CynergisTek Inc. notes: "For organizations looking for a better understanding of what constitutes acceptable performance, or ranges of acceptable performance as we often see in other types of industry audits, the published protocol may still leave the industry wanting for more explicit guidance."

For example, the audit procedure for measuring whether an organization has conducted a risk assessment calls for determining "if the covered entity risk assessment has been conducted on a periodic basis." CynergisTek notes that it remains unclear what "periodic basis" means. The company asks: "Is that annually? What kind of change in the environment necessitates an update in the risk assessment?"

(Marianne Kolbasuk McGee contributed to this story.)

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Growing the Privacy Profession

No longer just a second fiddle to security, privacy has emerged as a global hot topic - and a...

Latest Tweets and Mentions

ARTICLE Growing the Privacy Profession

No longer just a second fiddle to security, privacy has emerged as a global hot topic - and a...

The ISMG Network