HIPAA/HITECH Compliance: Using the OCR Audit Protocols

The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) has published its HIPAA Security and HIPAA Privacy and Security Breach Audit Protocols online. These are a great, if incomplete, resource for Covered Entities and Business Associates who would like to conduct a gap analysis of their HIPAA compliance, and as the starting point for a HITECH gap analysis. I don’t consider them adequate for a Security, Privacy or Breach assessment, however.

Why do I say they are incomplete and good only for gap analysis? The problem is that they are really just checklists of regulatory requirements, with a very high-level description of the audit procedure to be followed – as shown in the following example:

Section Established Performance Criteria Key Activity Audit Procedure Implementation Specification
§164.308 §164.308(a)(1)(i): Security   Management Process – Although the HIPAA Security Rule does not require   purchasing any particular technology, additional hardware, software, or   services may be needed to adequately protect information. . . . Acquire   IT Systems and Services Inquire of management   as to whether formal or informal policy and procedures exist covering the   specific features of the HIPAA Security Rule information systems §164.306(a)   and (b). Obtain and review formal or informal policy and procedures and … Required

Since the audit protocol tables give me a line-item for each regulatory requirement, it’s easy to convert them into checklists. (I’ve done so and would be happy to provide a copy upon request, but you can do it yourself easily enough.) You can then audit your organization against the checklist and inventory your policies, procedures, etc., and see if there’s anything missing. That’s a gap analysis, and it’s not a bad thing to do, especially against the incoming HITECH requirements.

But completion of the checklist won’t tell you whether the policies, procedures, etc. in your inventory are actually adequate or appropriate to your organization. This is the more difficult task of assessment, which for most Security Rule purposes requires an analysis of vulnerabilities, data criticality and potential remediation strategies, and a process for determining and accepting risks within the organization’s tolerance. For some Security Rule and most Privacy and Security Breach Rule requirements the regulations are more prescriptive and less risk-based – for example, the required elements of a Business Associate Contract are specified in the regulations, and on one level a compliant BAC is simply one which has the required content. But even with prescriptive requirements, in most cases there needs to be an assessment whether the policy, procedure or whatever actually meets the organization’s needs in addition to the letter of the regulations. In other words, due diligence is not satisfied by simply checking the boxes.

And the Protocols also are not complete, because they don’t really address the governance layer necessary for compliance. This is really beyond the scope of the rules, so it’s understandable they don’t address it. It is nonetheless well-established law that competent governance is necessary for organizations to avoid legal penalties for compliance failures, and that fiduciary oversight is fundamental for compliance.

I therefore suggest having a look at the Sample Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Review, published by CMS a couple of years ago, to fill in some of these gaps. This is not a checklist, but does provide significant additional insight into how an audit would be conducted, including who would in fact be interviewed, and what documents would be requested. Consider how and where the activities noted in that document would fit in to your Audit Protocol-based checklists, and you should be in a better position to figure out how your own organization would respond to an actual compliance audit.

15 Responses to HIPAA/HITECH Compliance: Using the OCR Audit Protocols

  • By Syed Qamber April 25, 2013 - 12:59 am

    Hello,

    Good to see your post which is very helpful for our organization Audit. Can I have a gap analysis Audit checklist for Hipaa

    Looking forward for your reply

    • By John R. Christiansen May 20, 2013 - 7:33 am

      Sure, I’ll send it via email.

  • By Kelly Prejean May 15, 2013 - 12:05 pm

    Good Afternoon,

    Would you be willing to share your compliance audit checklist? I would really appreciate it.

    Thanks!

  • By Thomas Smith May 27, 2013 - 4:24 pm

    Hello:

    Very informative post !

    Could you please e-mail me the checklist(s) you have developed.

    Thank You.

  • By Russell Mason June 6, 2013 - 6:50 am

    Can I alos have the gap analysis Audit checklist for Hipaa?

  • By Bianca S. June 7, 2013 - 12:29 pm

    Please share your checklist. I would greatly appreciate.

    Thanks a million!
    Bianca

  • By E Havice July 8, 2013 - 11:11 am

    Very good information. Please forward me your checklist. Regards

    • By John R. Christiansen July 13, 2013 - 12:36 pm

      Thanks! Due to the volume of requests I’ve posted the checklist here.

  • By Carl Hatch-Feir August 16, 2013 - 8:38 am

    Could I have all of your HIPAA checklists?

    • By John R. Christiansen August 31, 2013 - 11:14 am

      You can actually download it here:

  • By Jean Furdella September 11, 2013 - 4:22 am

    Thanks for the article – would you mind sharing your checklist and gap analysis? I am in the process of making a checklist and the more I read, the more things I realize that I missed 🙂 Thanks so much.
    Jean

  • By Joe Bono, CISSP, CISA September 27, 2013 - 12:07 pm

    Great post which is very helpful for our organization Audit. Can I have a gap analysis Audit checklist for Hipaa ? Thanks, Joe

  • By Shannon June 11, 2014 - 6:45 am

    Please send me a copy of the checklist.

    Thanks,

    Shannon

  • By Kari Rissanen July 8, 2014 - 5:40 am

    I’m right in the middle of a HIPAA Risk analysis, building the processes to manage our infrastructure, and documenting everything. Your Gap analysis audit checklist would really help in checking our compliance issues.
    Please send along, and thanks!

    Kari

Categories

Tags

bill gates cert christiansen it blog cobiT coco contract law do it yourself ehr issues ehrs electronic health records electronic health recores electronic medical records eula hackers healthcare system healthy information networks hipaa hitech information security information security duty information security theory infosec integrated information security standard of care integreated information security it law it risk it security legal counsel medical records nasa dod hacker network security newbie lawyers opering system risk acceptance risk assessment risk management risk theory secuirty rule security incident response poilicy security legislation self help strategic information security ufo hacking vista windows vista

Worthwhile Links