The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just released an updated HIPAA Audit Protocol that it plans to use while investigating healthcare entities for HIPAA compliance.

The biggest change to the HIPAA audit protocol is the distinction that OCR has made between what’s required of business associates (BAs) versus what’s required of covered entities (CEs). The guidance is extensive and covers each type of audit along with precisely what action needs to be taken and by whom.

In addition, OCR has also issued a template that CEs and BAs should use to monitor their relationships with their BAs. The new template has been released for use during OCR’s 2016 Phase 2 HIPAA Compliance Audits. CEs and BAs have already begun being notified via email of their potential inclusion in Phase 2.

OCR has said that the first step in these audits is going to be for CEs and BAs to compile a list of their Business Associates. The new template is meant to be a resource for potential auditees so that they can proactively engage with OCR as they begin to conduct their audits.

OCR has produced a sample list that outlines exactly the type of information they expect to see during their Phase 2 audits. When requested, CEs and BAs should be able to produce:

  • The name of the business associate
  • The type of service they provide
  • Two points of contact from each business associate
  • The URL of the business associate’s website

ocr hipaa audit

OCR suggests that potential auditees use this new template to track their BAs so that they can quickly and easily respond, should OCR request the information from them.

With this new guidance, CEs and BAs will be much better equipped to conduct self-audits and prepare for Phase 2, whether they’ve been selected for a desk audit, an onsite audit, or just want to monitor the ongoing status of their compliance.

Compliancy Group’s web-based HIPAA compliance solution, The Guard™, comes with built-in tracking for BAs along with a Business Associate Agreement Template (BAAs) that can be managed with a simple online login. The Guard also incorporates all of the necessary elements to conduct a thorough self-audit of users’ organizations, with documentation and built in remediation plans to remedy any gaps or lapses in their HIPAA compliance.