The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released an updated audit protocol that health plan sponsors and business associates can use to prepare for Phase 2 of the HIPAA audit program.
The OCR audit protocol is organized around modules, each representing separate elements of privacy, security and breach notification. The protocol identifies approximately 180 areas for potential audit inquiry.
The updated OCR audit protocol identifies “key activities” (HIPAA standards) and provides information on the legal requirements for each standard, as well as potential audit inquiries related to the HIPAA requirements. More information about the audit protocol can be found here.
HIPAA’s Security Risk Assessment (SRA) Tool can also be used to perform and document an organization’s security risk analysis. The SRA Tool can be downloaded here.
Even if your organization is not selected for a Phase 2 audit, it is important to self-audit your business to ensure compliance, since the OCR will likely continue its enforcement efforts after Phase 2 audits are complete.