The Department of Health and Human Services' Office for Civil Rights has published the official protocol for ongoing HIPAA compliance audits, offering a detailed breakdown of audit procedures.
The protocol, which the consulting firm KPMG is using to conduct the audits for OCR, includes 77 areas of evaluation for the HIPAA Security Rule and 88 for the HIPAA Privacy Rule and HIPAA Breach Notification Rule.
OCR has announced it plans to have KPMG conduct a total of 115 compliance audits this year under a program mandated by the HITECH Act. The first 20 audits are complete. OCR has selected 95 other organizations that will be audited, but notifications will be issued in phases (see: HIPAA Audits: A Progress Report).
In a recent presentation, Linda Sanches, senior adviser and health information privacy lead at OCR, said the first 20 audits showed that more organizations had trouble with security compliance than privacy compliance, and smaller organizations had more difficulties than larger ones (see: HIPAA Audits: A Preliminary Analysis).
Reaction to Protocols
Adam Greene, a partner at the law firm Davis, Wright Tremaine who formerly worked at OCR, says the protocols should not only help audited entities better understand what OCR is looking for during a HIPAA audit, but also provide assistance for self-assessments.
"This is a valuable tool for self audits and [for identifying] implementation gaps," he says. "Even if you're never chosen for an audit, if you use these tools for self-assessments, you're better positioned to defend yourself against [HIPAA] complaint investigations."
But a preliminary analysis of the audit protocols from consulting firm CynergisTek Inc. notes: "For organizations looking for a better understanding of what constitutes acceptable performance, or ranges of acceptable performance as we often see in other types of industry audits, the published protocol may still leave the industry wanting for more explicit guidance."
For example, the audit procedure for measuring whether an organization has conducted a risk assessment calls for determining "if the covered entity risk assessment has been conducted on a periodic basis." CynergisTek notes that it remains unclear what "periodic basis" means. The company asks: "Is that annually? What kind of change in the environment necessitates an update in the risk assessment?"(Marianne Kolbasuk McGee contributed to this story.)