OCR Releases Phase 2 Audit Protocol and Other Tools
Without fanfare, OCR has released the protocol and several other tools for the recently-launched Phase 2 HIPAA compliance audits. The updated protocol identifies approximately 180 areas for potential audit inquiry: 89 from the Privacy Rule (addressing notice of privacy practices, rights to request privacy protection, access, administrative requirements, uses and disclosures, amendment, and accounting of disclosures), 72 from the Security Rule (administrative, physical, and technical safeguards), and 19 from the Breach Notification Rule. Areas of inquiry will vary among auditees: auditees will not necessarily be audited on every "key activity.” The OCR's notification letter will inform the auditee of the areas of inquiry.
The new protocol builds upon and expands the Phase 1 protocol, and describes the areas of “audit inquiry” OCR will use to assess compliance with a particular “key activity” (HIPAA Rule standard or implementation specification) and associated “established performance criteria” (directives contained in the HIPAA Rules). OCR has issued general audit instructions along with the protocol:
For example: Many CEs and BAs are concerned about the state of their Security Rule risk analysis. The Security Rule requires covered entities and business associates to implement a security management process – "policies and procedures to prevent, detect, contain, and correct security violations.” Risk analysis is part of the security management process. The Security Rule defines “risk analysis” as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
References to "entity" in the protocol mean both CEs and BAs unless specifically identified as one or the other.
"Management" refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the CE or BA to implement policies, procedures, and other standards.
The auditor will not necessarily request all policies and procedures for review.
Unless otherwise specified, all document requests are for versions in use as of date of the audit notification and document request.
Unless otherwise specified, selected entities should submit documents via OCR's secure online web portal in PDF, MS Word, or MS Excel formats.
If the requested number of implementation documents is not available, the entity must provide instances from previous years to complete the sample. If no documentation is available, the entity must provide a statement to that effect.
Workforce members include entity employees, contractors, students, and volunteers.
Information systems include hardware, software, information, data, applications, communications, and people.
In standard HIPAA parlance, risk analysis is a required implementation specification for the security management process standard.
In revised protocol language, risk analysis is a “required” “key activity” for the security management process, and the definition of risk analysis provides the “established performance criteria.” To determine whether the audited CE or BA has met the established performance criteria (in other words, whether it has performed an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it holds), OCR will examine designated areas of “audit inquiry.”
The revised protocol for risk analysis looks like this:
Established Performance Criteria
Security Management Process -- Risk Analysis
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ePHI) it creates, receives, maintains, or transmits?
Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?
Determine how the entity has implemented the requirements.
Obtain and review risk analysis policies and procedures. Evaluate and determine if written policies and procedures were developed to address the purpose and scope of the risk analysis, workforce member roles and responsibilities, management involvement in risk analysis and how frequently the risk analysis will be reviewed and updated.
Obtain and review the written risk analysis or other record(s) that documents that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI was been conducted. Evaluate and determine whether the risk analysis or other documentation contains:
• A defined scope that identifies all of its systems that create, transmit, maintain, or transmit ePHI
• Details of identified threats and vulnerabilities
• Assessment of current security measures
• Impact and likelihood analysis
• Risk rating
Obtain and review documentation regarding the written risk analysis or other documentation that immediately preceded the current risk analysis or other record, if any. Evaluate and determine if the risk analysis has been reviewed and updated on a periodic basis, in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
If there is no prior risk analysis or other record, obtain and review the two (2) most recent written updates to the risk analysis or other record, if any. If the original written risk analysis or other records have not been updated since they were originally conducted and/or drafted, obtain and review an explanation as to the reason why.
Continuing with the risk analysis example, the revised protocol also describes areas of audit inquiry for the other three implementation specifications that, together with risk analysis, comprise the security management process standard: risk management,
and information system activity review.
If the CE or BA is selected for audit of its security management process, it should examine all four related key activity protocols (established criteria and areas of audit inquiry).
Of course, the security management process key activity protocols comprise but a small portion of the revised protocol. CEs and BAs selected for audit should work with counsel to determine, among other things, how to best use the revised protocol to prepare for their audit.
OCR is currently emailing potential audit pool members to confirm contact information, and has recently begun sending a prescreening questionnaire
to these entities. The prescreening questionnaire consists of 30 questions, including general entity description questions (public or private? single- or multi-location? affiliation with/ownership by other entities?) and separate sections for Healthcare Providers, Health Plans, Healthcare Clearinghouses, and Business Associates. CEs and BAs should review this questionnaire and begin gathering information that is not readily obtainable (e.g., number of patient visits in, and revenue for, the past fiscal year; number of claims processed monthly in the past fiscal year). While the prescreening questionnaire should not be time-consuming, the turnaround time will likely be short.
CEs and BAs should be alert for these OCR communications, and should ensure that individuals OCR might identify as the entity's "primary contact" check their junk and spam email folders daily (and be wary of potential phishing schemes). More information about the Phase 2 pre-audit process, and steps your organization can be taking now to prepare, can be found in OCR's Phase 2 Audits Are Here: Check Your Spam and Junk Folders.
OCR has also published a sample template for identifying business associates
. This includes a sample spreadsheet for CEs to identify their BAs and contact information such as names, type of services provided, address, emails, and website URL. Regardless of whether a CE has received an initial OCR communication, working through this analysis privately is an excellent exercise to track BAs and keep their information current.
CEs and BAs should review the revised protocol and begin fill potential compliance gaps now. While for purposes of the audit itself, OCR will likely consider only documentation existing at the time of the notification/request (and while, of course, your organization must be transparent about what existed when), you may have the opportunity to demonstrate best efforts by showing what you did after notification to identify and mitigate potential non-compliance.
For more information, please contact Kimberly Metzger
or a member of our Data Security and Privacy practice
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
45 CFR 164.308(a)(1)(i)
45 CFR 164.308(a)(1)(ii)(A)
45 CFR 164.308(a)(1)(ii)(B)
45 CFR 164.308(a)(1)(ii)(C)
45 CFR 164.308(a)(1)(ii)(D)