Physician Practice

HIPAA Phase 2 audit protocols released

Physician Practice Insider, April 19, 2016

The Office for Civil Rights (OCR) released updated audit protocols and other audit documents for Phase 2 of its HIPAA audit program. The updated protocol contains a description of the audit areas, general instructions and definitions, and a keyword searchable table.
The audit protocol covers Privacy Rule, Security Rule, and Breach Notification Rule requirements. Privacy Rule requirements are further broken down into specific targets:

  • Notice of privacy practice for protected health information (PHI)
  • Rights to request privacy protection for PHI
  • Access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures

The Phase 2 audit protocol expands the compliance areas to reflect changes made by the 2013 HIPAA Omnibus Final Rule. The updated audit protocol also includes information for business associates (BA). BAs were not audited during Phase 1, but will be included in the current round of audits.

The table maps audit areas to sections of the legislation, key activities OCR expects covered entities (CE) and BAs to take, performance criteria, and audit inquiry. The table goes into a high level of detail and lists more than 100 audit areas.

Although the audit protocol has been published and are not likely to be revised before the audit requests are sent, OCR is accepting feedback.

Along with the updated Phase 2 audit protocol, OCR also published the pre-screening questionnaire it will send to CEs and BAs selected for audits. The questionnaire begins with four basic questions that apply to all entities and is then divided into sections for healthcare providers, BAs, healthcare clearinghouses, and health plans.
In addition to the pre-screen questionnaire, CEs will be asked to submit a list of their BAs. OCR published a sample BA listing template CEs can use to complete this requirement. The sample template has 27- items and reports information such as the service a BA provides, contact information for up to two individuals at the listed BA, and the BA’s website.

OCR announced it would begin verifying the contact information of CEs and BAs selected for Phase 2 audits March 21.

This article was originally published in the Revenue Cycle Daily Advisor.

Most Popular