New HIPAA audits raise the bar on compliance teams
New audit protocol
The Health and Human Services Office for Civil Rights (OCR) has launched the second phase of its HIPAA Audit Program. Now, both covered entities and business associates are subject to the audits. The process will include RFI’s, desk audits, and for a select number of entities, on-site audits.
In preparation for the phase 2 audits, OCR has updated the audit protocol. This new protocol dwarfs the previous release, with over 1,000 audit inquiry line items. The sheer volume of audit inquiries will be monumentally time consuming for an entity’s IT and Security teams. Consider this one inquiry:
Obtain and review documentation demonstrating the records of information system activities that were reviewed such as audit logs, access reports, and security incident tracking reports. Evaluate and determine if information system records were reviewed in a timely manner and that the review was conducted and certified by appropriate personnel.