Lobbying Affiliate: MML&K Government Solutions
{ Banner Image }

Healthcare Law Blog

Comprehensive Healthcare law services.
It's kind of our bag.

Contact Us

* Indicates a required field.


McBrayer Blogs

Related Blogs

OCR Updates HIPAA Audit Protocol for Phase 2

Recently, the Office of Civil Rights (“OCR”) provided an updated protocol that it will use when assessing compliance with HIPAA rules. OCR recently began Phase 2 of its HIPAA compliance audits, extending coverage of these audits to Business Associates (“BAs”) as well as Covered Entities (“CEs”). Both BAs and CEs should pay particular attention to these revised audit protocols, as they indicate exactly what OCR will be looking for when conducting these audits.

AuditTo begin with, the updated protocol now distinguishes between portions that apply to both CEs and BAs and only the portions that will apply to CEs. This should prove helpful when BAs refine policies and conduct risk assessments for HIPAA compliance. One of the more beneficial changes to the audit protocol is that it now includes very specific questions for CEs and BAs to answer as part of their risk assessments, as well as going into detail on what elements must be included in a CE’s or BA’s policies and procedures. This provides a closer link of the requirements under the audit to the provisions of HIPAA and the HITECH Act that create the respective responsibilities. Each standard and specification of implementation is paired with a specific inquiry in the audit protocol as a means of testing compliance, and the protocol provides additional guidance and explicit examples

The revised protocol includes now 180 potential areas of scrutiny, up from 165 during the first phase of auditing. It is potentially the strongest tool given to CEs and BAs to measure their own compliance, providing a roadmap for risk assessment. All CEs and BAs should review the updated audit protocols and evaluate compliance efforts in a methodical manner, systematically working through the revised protocol’s audit inquiries to understand strengths and weaknesses with respect to policies and procedures that implement HIPAA’s Security, Privacy or Breach Notification Rules. The attorneys of McBrayer can assist covered entities and business associates with the audit process, providing these entities with the tools they need to ensure compliance every step of the way. Contact us today!

Gina M. Rawlins, MPA-CHA-CHC, is a Research and Compliance Analyst of McBrayer, McGinnis, Leslie & Kirkland, PLLC. Ms. Rawlins concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at grawlins@mmlk.com or at (859) 231-8780, ext. 1257.

This article is intended as a summary of federal and state law and does not constitute legal advice.

Lexington, KYLouisville, KYFrankfort, KY: MML&KFrankfort, KY LawGreenup, KYAshland, KYWashington, D.C.