• No results found

The OCR Audit Protocol a first look

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "The OCR Audit Protocol a first look"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

The OCR Audit Protocol – a first look …

On June 26, 2012, the Office for Civil Rights published its Audit Protocols for HIPAA Security, HIPAA Breach and Privacy at http://ocrnotifications.hhs.gov/hipaa.html.

“The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

The audit protocol covers Privacy Rule requirements for (1) Notice of privacy practices for PHI,

(2) Rights to request privacy protection for PHI, (3) Access of individuals to PHI,

(4) Administrative requirements, (5) Uses and disclosures of PHI, (6) Amendment of PHI, and (7) Accounting of disclosures.

The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.

The protocol covers requirements for the Breach Notification Rule.”

There are two tables within the protocol, one for HIPAA security with 77 entries and a second table for HIPAA breach and privacy of 88 entries.

(2)

The tables have the following column headings:

Section Established Performance Criteria

Key Activity Audit Procedures

The security table has a fifth column, Implementation Specification, noted as either addressable, required, or N/A.

These headings are not explained or defined.

The Section is the Code of Federal Regulations (CFR) section for the specific HIPAA standard for the next 3 or 4 columns.

The Established Performance Criteria either is the CFR language or an explanation of what is expected per audit protocol.

The Key Activity column outlines what you must be doing such as developing awareness training, content, materials, and methods, or the process steps relating to the overall objective.

The Audit Procedures are what the auditor is going to ask you for to prove compliance and implementation. For example, you will be asked for policies, procedures, plans, job descriptions and many other things.

Unfortunately the PERFORMANCE CRITERIA cells and the AUDIT PROCEDURE cells data are not all available on the webpage. You must open the cell further to find either the full criteria information or the full audit procedure information.

If you choose to print the tables you will not have the complete information of one or the other or both expandable cells. Nor can you expand all the necessary cells before you print.

(3)

Protocol Review

1. There are enough differences between the two tables that it appears the tables were created by different individuals or different groups.

For example in the security table the ‘established performance criteria’ do not state or include the CFR for each standard section or implementation

specification section, yet in the breach and privacy table it is mostly the CFR that is within this column.

It would be much more informative if both the standard citation and title and the implementation specification citation and titles were within the ‘established performance criteria’ cells.

2. The protocols are asking both Code of Federal Regulation (CFR) questions and practical questions. They are asking both these type of questions as you are going to need to prove that you comply with the all the necessary regulation sections for your type of entity and provide evidence of implementation of the regulation sections.

For example, for security section 164.308(a)(8), Evaluation, you are asked both if you have conducted an evaluation and what type of documentation you have for your evaluation, such as standards and measurements used for evaluation, and findings of an evaluation.

3. Audit procedures ask for ‘formal or informal policies and procedures.’

(4)

Are both formal and informal policies and procedures written documents? Or are they informal in understanding? Are they casual? Irregular? Unofficial? Unconventional?

Perhaps OCR will clarify if enough of the individuals and entities being audited in this round do not understand what informal means.

4. The run of the criteria and audit procedures are not always in the order of the security rule or the privacy rule.

For example, 164.512, Uses and disclosures for which an authorization or

opportunity to agree or object is not required, the research questions and issues come first and not 9th as they are in the regulation.

Then the questions return to asking in order from one forward.

5. Sometimes the compliance questions are asked first and then the practical questions and at other times it is the opposite.

There does not appear to be any rhyme or reason for this that I have yet discovered.

6. In 164.530, Administrative requirements, (a) Personnel designation of a privacy officer is missing from the privacy table, yet in the security table the security official questions are asked.

I think this is just an oversight!

(5)

activity is a listing of types, functions and uses, and the other is a performance question.

8. Several of the key activities or audit procedures ask for work that may appear to be neither CFR compliance, nor evidence of implementation. You may want to consult your attorney or compliance office to help you interpret these areas.

Conclusion

The OCR protocols give the industry much more information than the initial documents request that were released after the first 20 entities were audited.

Each type of covered entity and business associate can now plan their own audit using the information on the OCR website.

Any entity that has used the NIST HIPAA Security toolkit, using either version, will have many of the answers they need for the OCR HIPAA security protocol to demonstrate compliance with the section and have documented evidence of implementation as well.

MalvernGroup has created two tables with all expansion entries for criteria and audit procedures columns; they can be found at

http://www.malverngroup.com/Publications.html

MalvernGroup plans a comprehensive OCR audit protocol workbook for you to use to do your own bench audit that will be supported by experienced consultants to help you as needed.

References

Download now ( PDF - 5 Page - 73.94 KB )

Related documents

Welcome to the. Over 17,000 members in 90 countries and 95 chapters around the world. AEE S MISSION STATEMENT

Under Local Law 87, the Association of Energy Engineers' Certified Building Commissioning Firm, Certified Building Commissioning Professional, and Existing

Making Wine in Qvevri

Making sacramental wine requires special attention and care, starting with qvevri washing and marani hygiene and ending with fermentation, aging and storage. During

TheAmericanCivilWar.pdf

For helpful overviews of the global situation, see Steven Hahn, "Class and State in Postemancipation Societies: Southern Planters in Comparative Perspective,"

Relationship Of Block Scheduling To Student Achievement And Learning Activities

This study extends the ongoing research dialogue on this topic to include a focus on the impact of the school schedule on student achievement on the Pennsylvania Keystone Exams and

Intra-household inequality and child welfare in Argentina

35 Female labor participation may generate many intra-household effects: time allocation effects (e.g., both parents working have less time to allocate to child care or domestic

0715CD107

The performance involves the participation of the king of Ataoja of osogbo, Arugba (votary mad) Aworo Osun , Iya Osun (chief priest and priestess), and the entire  people

AIRS Adaptive Integrated Retail System flexible deployment model

The retailer may choose to implement a single AIRS application tightly integrated with their legacy systems at the store or enterprise level, or they may choose a more

2016 International Report on Snow & Mountain Tourism. Overview of the key industry figures for ski resorts

7 A resort is considered as major if its attendance reaches over 1 million skier visits per winter season... Most of the industry is concentrated around the resorts that generate