The HHS Office for Civil Rights (OCR) is the governing body responsible for executing the HIPAA audit protocols and in 2021 alone, has issued compliance fines for HIPAA breaches exceeding more than $5.9 million.
Consisting of 169 modules, the HIPAA audit program encapsulates security, privacy and breach notification rules to assess covered entities and business associates’ compliance.
Although primarily used in response to a complaint from a patient, or after a reported breach,, sometimes the OCR will initiate a compliance review as part of a random audit.
To help prepare your organization for a potential HIPAA audit, this article covers the HIPAA audit program detailing the particular standards and specifications necessary for maintaining compliance with the HIPAA.
What is the HIPAA Audit Protocol?
The first audit protocol was published in 2012 by the OCR to provide clarity on the HIPAA standards that auditors assess. Including changes from the HIPAA Omnibus rulemaking in 2013, the OCR updated the audit protocol in 2016 and identifies approximately 180 areas for potential audit inquiry.
Organized around modules, the HIPAA audit protocol incorporates elements of the HIPAA privacy, security and breach notification rules to assess covered entities’ compliance and is related to the following:
- Breach notification requirements
- HIPAA security requirements for administrative, physical and technical safeguards
- Administrative requirements; Uses and disclosures of OHI; amendment of PHI; accounting of disclosures; Notice of health and human services officer for civil rights (OCR) for protected health information (PHI); Rights to request privacy protection for PHI; and access of PHI.
Detailed in the audit protocol are HIPAA standards and information pertaining to the legal requirements of each standard, known as performance criteria.
When organizations don’t provide enough information or clarification, a request of information or in-person desk audit may occur.
Additionally, some HIPAA audit protocols may be specific to the various types of covered entities that are under review.
HIPAA Audit Protocols: HIPAA Self-Audits
Maintaining HIPAA compliance by performing routine self-assessments helps covered entities and business associates to remain regulatory proactive.
When areas of non-compliance are discovered, the audit protocol serves as a blueprint to remediate compliance issues.
To ensure your compliance isn’t slacking, ask yourself the following when conducting HIPAA self-audits:
- Are the proper HIPAA policies and procedures in place?
- Has a risk analysis been performed to identify vulnerabilities?
- Have the compliance policies and procedures been routinely updated?
- Does the workforce understand HIPAA and have they received compliance training?
- Should “addressable” performance criteria not be implemented, is there supporting documentation to back it up?
HIPAA Audit Protocols: HIPAA Security Rule Requirements
HIPAA audit protocols cover 72 audit inquiries that address the Security Rule requirements for technical, administrative and physical safeguards for electronically protected health information.
For every safeguard, certain standards and deployment specifications are detailed. To warrant additional flexibility to covered entities, implementation specifications are divided into two categories known as “addressable” and “required.”
While required specifications must be implemented, addressable specifications provide covered entities with the option not to implement and to use an alternative standard.
Should a covered entity not implement addressable specifications, that entity must provide documentation regarding why that safeguard was not deemed appropriate or reasonable.
Often considered an essential first step to complying with Security Rule, the HIPAA audit protocol also takes into account if covered entities have partaken in risk analysis to identify and remediate vulnerabilities and potential risks to all the ePHI that it creates, maintains, transmits and receives.
Sometimes, when entities fail to perform a timely risk analysis, they are routinely identified by the OCR as having HIPAA compliance issues.
HIPAA Audit Protocols: HIPAA Privacy Rule Requirements
Within HIPAA protocols, there are 89 areas for potential audit inquiry under the HIPAA Privacy Rule.
The main focus of the HIPAA Privacy Rule is to outline and establish the national standards required to protect individuals’ medical records and other individual health information, which also applies to health plans, healthcare clearinghouses and providers that conduct health care transactions electronically.
While setting the safeguards to protect the privacy of protected health information, the HIPAA Privacy Rule also sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization.
Additionally, The Rule concerns:
- The minimum acceptable standard
- The notice of privacy practices for PHI
- Business associate contract requirement
- An individual’s rights to examine and obtain a copy of their PHI
- Patient’s rights to amend document requests and contact information
- A process for individuals to request for information relating to protected health information
HIPAA Audit Protocols: Breach Notification Rules
This part of the audit protocol addresses HIPAA’s breach notification required for unsecured PHI.
Additionally, the HIPAA breach notification rule covers:
- How to identify if a PHI breach has occurred
- What to do following a breach at a business associate
- The circumstances used to report a breach to the OCR
- What other entities should be reported to following a breach
Generally, a breach is an impermissible use or disclosure under the Privacy Rule that compromises the privacy and security of the protected health information.
Following the HIPAA Omnibus final rule in 2013, auditors are instructed to review covered entities’ policies and procedures relating to breach notification.
Tackle HIPAA Audit Protocols with a Risk Assessment
Failing to address HIPAA audit protocols and being non-compliant can lead to HIPAA fines between $100 to $50,000 per violation in addition to criminal charges.
With hundreds of millions of individual records exposed every year and the average cost of a data breach being $4.24 million in the United States, the need to proactively maintain HIPAA compliance is essential to mitigating security risks and maximizing safeguards.
To discover hidden vulnerabilities in compliance, consider a risk assessment with Techumen.
At Techumen, our senior experts have guided 235 clinics and more than 1,200 healthcare organizations to more than 2,000 successful audits from HHS and CMS.
With fixed-cost pricing and a comprehensive understanding of regulation, information privacy, and security our mission is to simplify healthcare security for all of our healthcare clients.
To assess your HIPAA compliance today, connect with one of our HIPAA specialists.