The Office for Civil Rights (OCR) has issued its revamped audit protocol for its second phase of auditing covered entities and business associates’ compliance with the HIPAA Privacy, Security and Breach Notification Rules.

The lengthy audit protocol is posted on the OCR website. It provides general instructions, and then cites each statutory section of the Privacy, Security and Breach Notification Rules that will be covered by the audit. For instance, pursuant to 45 C.F.R. Section 164.510(b), the OCR will look at “What policies and procedures exist for disclosing PHI to family members, relatives, close personal friends, or other persons identified by the individual?” and will “Obtain and review policies and procedures for such disclosures.”

An example of a question related to compliance with the Security Rule is 45 C.F.R. Section 164.308(a)(5)(i) “Does the entity have policies and procedures in place regarding a security awareness and training program? Does the entity provide security awareness and training to all new and existing members of its workforce? Obtain and review policies and procedures for security awareness and training program.” The documents the OCR mention include obtaining the training materials to determine if they are “reasonable and appropriate for workforce members to carry out their functions” and “Obtain and review documentation demonstrating that the security awareness and training programs are provided to the entire organization and made available to independent contractors and business associates, if appropriate.”

In the section outlining the review of breach notification compliance, the OCR indicates that if a covered entity or business associate determined that an acquisition, access, use or disclosure of PHI did not require notification, “did the covered entity or business associate determine that one of the regulatory exceptions…apply? If yes, obtain documentation of such determination.”

The OCR has been warning covered entities and business associates about the new phase of audits for over a year. Now that we have the protocol, it can be used as a road map for preparing for an audit, or getting compliance in order.

We are hearing through the grapevine that over 800 covered entities and business associates will get the “letter” from the OCR to start the audit process. If you get the letter (which the OCR says you will not get if there is a pending investigation), get ready. If you don’t get the letter in this wave, still, get ready. Use the roadmap as guidance that we rarely get from the OCR.