The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just released an updated HIPAA Audit Protocol that it plans to use while investigating healthcare entities for HIPAA compliance.
The biggest change to the HIPAA audit protocol is the distinction that OCR has made between what’s required of business associates (BAs) versus what’s required of covered entities (CEs). The guidance is extensive and covers each type of audit along with precisely what action needs to be taken and by whom.
In addition, OCR has also issued a template that CEs and BAs should use to monitor their relationships with their BAs. The new template has been released for use during OCR’s 2016 Phase 2 HIPAA Compliance Audits. CEs and BAs have already begun being notified via email of their potential inclusion in Phase 2.
OCR has said that the first step in these audits is going to be for CEs and BAs to compile a list of their Business Associates. The new template is meant to be a resource for potential auditees so that they can proactively engage with OCR as they begin to conduct their audits.
OCR has produced a sample list that outlines exactly the type of information they expect to see during their Phase 2 audits. When requested, CEs and BAs should be able to produce: