OCR releases protocol for phase 2 of HIPAA audits

A new HIPAA audit protocol has been posted by the Department of Health and Human Services' Office for Civil Rights, reflecting the Omnibus Final Rule.

OCR announced the second phase of the HIPAA audit program late last month during the 24th National HIPAA Summit in the District of Columbia.

"[OCR will] be looking at risk analyses and risk management, notices of privacy practices and access and response to requests for access, and content timeliness of notifications," OCR Director Jocelyn Samuels said at the summit.

This protocol is final and will be used in the second audit phase, an OCR spokesman said in a statement to HealthcareInfoSecurity.com. He added that there is an email address to use for comment, but no comment period, and that it will not be published in the Federal Register.

In the updated protocol, there are a little more than 180 areas of audit inquiries listed, more than original protocol that was published in June 2012.

OCR also published a sample template for providers to list business associates, as well as a pre-screening questionnaire.

Desk audits will make up the first two rounds of audits. The first round of desk audits will focus on covered entities, FierceHealthIT previously reported, while the second round of audits will focus on business associates; all desk audits will be completed by December. For each of the desk audits, OCR will look at compliance with particular provisions of the privacy security and breach notification rules.

According to Politico Morning eHealth, Deven McGraw, deputy director of health information privacy for OCR, announced at an event that covered entities would receive letters about desk audits in May, while business associates will receive such letters in June or July.

To learn more:
- check out the audit protocol post
- here's the HealthInfoSecurity article
- check out the BA sample template
- here's the questionnaire
- here's the Politico Morning eHealth post