The OCR Audit Protocol

October 10, 2012 | Mac McMillan – Privacy and Security

We have talked about the Office for Civil Rights (OCR) audits in past posts and I’ve gotten a lot of questions about the audit protocol that the auditors use and that OCR posted on their website a couple of months ago now. Like many aspects of the OCR Audit Program, the protocol is still a work in progress, which is the first thing you should know and understand. That means it is still subject to change and in fact has changed several times already since it was posted. So if you go to use it make sure you get the latest copy from the OCR website directly.

The second most important thing to know is that the protocol was developed as a tool to guide the audit process and the auditors interviews — not as a complete listing of all the questions they could ask about your program to assess your performance.

Third you should know that the auditors are not bound by the protocol, meaning they do not have to ask every question in the protocol when they audit you. What this should tell you is that the audit protocol is a useful tool for assessing your own program ahead of time, but it is not a model for your program or the only thing you should focus on to ensure you are compliant and ready. The best way to do that is still to have implemented a sound program based on a complete security model.

Since I did say it was a useful tool to assist in assessing your readiness, it would also be good to know how to use it. The protocol is based on the three rules covered by the audit program: HIPAA Security, HIPAA Privacy and HITECH Breach Notification. The protocol breaks down the rules into what it refers to as procedures. There are currently 169 procedures outlined in the Protocol, 78 in Privacy, 81 in Security and 10 in Breach Notification. Each procedure is then broken down in a distinct pattern.

Each procedure starts with the specification from the rule and restates the language verbatim. Then it breaks down the specification into a set of key activities. For instance, in Access Control a key activity is terminating access when no longer required. Then for each activity there is a set of questions that the auditor must answer and gather evidence to corroborate his/her findings. To accomplish this, the auditor will interview management as to whether a policy or procedure exists to cover the activity and to explain the routine process followed. The auditor will then ask to see (obtain and review) all related documentation for the activity to include: policies, procedures, forms, checklists, records, audit trails, etc. And last but not least, if the specification is “addressable,” the auditor will ask for documentation any time the entity has chosen not to fully implement the specification and their rationale for doing so. So how do you use the protocol to assess your program?

1. Download the protocol from the OCR website.
2. For each Procedure/Key Activity identify the policy, procedures and any other documentation you have related to its implementation.
3. Interview staff to make sure that what they describe as their routine process is what is documented.
4. Last but not least locate supporting evidence that demonstrates compliance.
5. Identify any gaps and remediate.