OCR Audit Protocol – First Thoughts
Bob Chaput, CISSP
President Clearwater Compliance
LinkedIn Profile
OCR has published the audit protocols for the HIPAA Security and Privacy and HITECH Breach Notification Rules. Our analysis is underway but here’s a big tip – learn the protocols and the emphasis on 45 CFR 164.308(a)(8) Evaluation Standard.
As we all know by now in a single sentence in the HITECH Act, mandatory audits of Covered Entities’ and Business Associates’ compliance with HIPAA and HITECH came to be.
“The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.”
OCR has published their audit protocols and they are… well… interesting. In some areas, the protocols seem to be spot on, in others lacking and in some, “hyper-vigilant”. Sometimes the “hyper-vigilance” makes sense; e.g., the Access Control (Technical Safeguard) is covered very thoroughly and this makes sense because in many organizations “Access Control” is out of control.
One of the areas that pleasantly surprised me is the coverage of Evaluation (Administrative Safeguard) at 45 CFR 164.308(a)(8):
“Perform a periodic technical and non technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”
Few organizations have performed such an Evaluation or compliance assessment properly. In fact, consider the five specific audit points below related to the HIPAA Security Assessment or Evaluation, straight from the audit protocol.
OCR Audit Established Performance Criteria:
§164.308(a)(8) Evaluation – Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.