OCR Audit Key Activity 1:
Determine Whether Internal or External Evaluation Is Most Appropriate.
OCR Audit Protocol Procedures 1:
Inquire of management whether evaluations are conducted by internal staff or external consultants. Obtain and review a sample of evaluations conducted within the audit period to determine whether they were conducted by internal staff or external consultants. For evaluations conducted by external consultants, determine if an agreement or contract exists and if it includes verification of consultants’ credentials and experience. For evaluations conducted by internal staff, determine if the documentation covers elements from the specified performance criteria.
OCR Audit Key Activity 2:
Develop Standards and Measurements for Reviewing All Standards and Implementation Specifications of the Security Rule.
OCR Audit Protocol Procedures 2:
Inquire of management as to whether policy and procedures exist to ensure an evaluation considers all elements of the HIPAA Security Rule. Obtain and review policy and procedures used and evaluate the content in relation to the specified criteria. Determine if the process has been approved and updated on a periodic basis as required.
OCR Audit Key Activity 3:
Conduct Evaluation.
OCR Audit Protocol Procedures 3:
Inquire of management as to whether policy and procedures exist to ensure all necessary information needed to conduct an evaluation is obtained and documented in advance. Obtain and review the evaluation process in place in relation to the specified criteria. Determine if the policy and procedures have been approved and updated on a periodic basis.
OCR Audit Key Activity 4:
Document Results.
OCR Audit Protocol Procedures 4:
Inquire of management as to whether formal or informal policy and procedures exist to document the evaluation of findings, remediation options and recommendations, and remediation decisions. Obtain and review formal or informal policy and procedures used to document the evaluation of findings, remediation options and recommendations, and remediation decisions in relation to the specified criteria. Determine if written reports of findings are reviewed and approved.
OCR Audit Key Activity 5:
Repeat Evaluations Periodically.
OCR Audit Protocol Procedures 5:
Inquire of management as to whether formal or informal security policies and procedures specify that evaluations will be repeated when environmental and operational changes are made that affect the security of ePHI. Obtain and review the entity’s formal or informal security policies and procedures and evaluate the content in relation to the specified criteria to determine the process for repeat evaluations. Determine if formal or informal security policies and procedures are reviewed on a periodic basis.
Also, you may wish to read the entire CMS report entitled HIPAA Compliance Review Analysis and Summary of Results or download this white paper “The 2012 HIPAA Audits: Will the Past Predict the Future?. Finally, the complete HIPAA Privacy, Security and Breach regulations can be found here.
Bob Chaput, CISSP, is a leading HIPAA-HITECH compliance expert. He blogs regularly on the topic where this post originally appeared. His company, Clearwater Compliance, offers Continuing Professional Education Credits for participation in their Clearwater HIPAA Audit Prep BootCamp™. You can download a PDF for more information.