HIPAA/HITECH Compliance: Using the OCR Audit Protocols

The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) has published its HIPAA Security and HIPAA Privacy and Security Breach Audit Protocols online. These are a great, if incomplete, resource for Covered Entities and Business Associates who would like to conduct a gap analysis of their HIPAA compliance, and as the starting point for a HITECH gap analysis. I don’t consider them adequate for a Security, Privacy or Breach assessment, however.

Why do I say they are incomplete and good only for gap analysis? The problem is that they are really just checklists of regulatory requirements, with a very high-level description of the audit procedure to be followed – as shown in the following example:

Section Established Performance Criteria Key Activity Audit Procedure Implementation Specification
§164.308 §164.308(a)(1)(i): Security   Management Process – Although the HIPAA Security Rule does not require   purchasing any particular technology, additional hardware, software, or   services may be needed to adequately protect information. . . . Acquire   IT Systems and Services Inquire of management   as to whether formal or informal policy and procedures exist covering the   specific features of the HIPAA Security Rule information systems §164.306(a)   and (b). Obtain and review formal or informal policy and procedures and … Required

Since the audit protocol tables give me a line-item for each regulatory requirement, it’s easy to convert them into checklists. (I’ve done so and would be happy to provide a copy upon request, but you can do it yourself easily enough.) You can then audit your organization against the checklist and inventory your policies, procedures, etc., and see if there’s anything missing. That’s a gap analysis, and it’s not a bad thing to do, especially against the incoming HITECH requirements.

But completion of the checklist won’t tell you whether the policies, procedures, etc. in your inventory are actually adequate or appropriate to your organization. This is the more difficult task of assessment, which for most Security Rule purposes requires an analysis of vulnerabilities, data criticality and potential remediation strategies, and a process for determining and accepting risks within the organization’s tolerance. For some Security Rule and most Privacy and Security Breach Rule requirements the regulations are more prescriptive and less risk-based – for example, the required elements of a Business Associate Contract are specified in the regulations, and on one level a compliant BAC is simply one which has the required content. But even with prescriptive requirements, in most cases there needs to be an assessment whether the policy, procedure or whatever actually meets the organization’s needs in addition to the letter of the regulations. In other words, due diligence is not satisfied by simply checking the boxes.

And the Protocols also are not complete, because they don’t really address the governance layer necessary for compliance. This is really beyond the scope of the rules, so it’s understandable they don’t address it. It is nonetheless well-established law that competent governance is necessary for organizations to avoid legal penalties for compliance failures, and that fiduciary oversight is fundamental for compliance.

I therefore suggest having a look at the Sample Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Review, published by CMS a couple of years ago, to fill in some of these gaps. This is not a checklist, but does provide significant additional insight into how an audit would be conducted, including who would in fact be interviewed, and what documents would be requested. Consider how and where the activities noted in that document would fit in to your Audit Protocol-based checklists, and you should be in a better position to figure out how your own organization would respond to an actual compliance audit.

15 Responses to HIPAA/HITECH Compliance: Using the OCR Audit Protocols