Does the 2016 HIPAA Audit Protocol Set New Expectations for HIPAA Policies and Procedures?
The HIPAA Privacy, Security, and Breach Notification Regulations require healthcare organizations to establish and create policies and procedures to help demonstrate compliance with the regulations. An organization can have well-established security practices or appropriately provide a patient of a copy of medical records, but if the organization doesn’t have a policy and procedure written for that specific requirement, they can be found out of compliance with the HIPAA regulations. Why is that? Because the HIPAA regulations have specific requirements that mandate the creation of written policies and procedures.
The specific regulations are as follows:
- Privacy Rule Documentation – 164.530(i) – A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
- Security Rule Documentation – 164.316(b)(1) – Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment
- Breach Notification Rule Documentation – 164.414 – A covered entity must comply with the administrative requirements as defined under the HIPAA rule documentation, including the establishment of written policies and procedures
The regulations make it very clear that the expectation is that written policies and procedures are necessary for compliance but don’t always specify what is needed to be within the policy and procedures. When the 2016 HIPAA Audit Protocol was published, it not only emphasized the importance of the written policies and procedures but also established expectations of the content of the policies and procedures (for the first time). Let’s look at an example:
HIPAA Regulation 164.308(a)(1)(ii)(A) Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
As you can see from this regulation, there is no specific information on what the risk analysis should consist of and what information should be written into the policy and procedure. Now let’s evaluate the regulation against the 2016 HIPAA Audit Protocol:
HIPAA Audit Protocol 164.308(a)(1)(ii)(A) Risk Analysis Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.
Complete HIPAA Audit Protocol: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol
While conducting a HIPAA Audit, the auditors will be looking for specific criteria defined in a policy and procedure on how the risk analysis will be conducted. Then the auditor will obtain a copy of the most current risk analysis and evaluate if you followed the policy and procedure the organization defined in the policy and procedure.
The audit protocol defines in more specificity what should be covered in the policies and procedures that your organization needs to establish. The other aspect of policies and procedure is that healthcare organizations need to follow exactly what is being defined in the policies and procedures. For example, if your policy and procedure on malicious software state that your organization will run updated virus scans on a weekly basis, your organization needs to actually be doing that and be able to provide evidence of the virus scans. If during an audit, it is determined that the scans are only run on a monthly basis, you may be found out of compliance as you are not meeting the expectations of the defined policies and procedures.
Best Practice: Ensure the steps defined in the HIPAA policies and procedures are being followed as written. (Hint: You need to do an audit to verify and check this)
Most of the HIPAA Fines and Corrective Action Plans established by the Office of Civil Rights found that there is a lack of policies and procedures and a lack of evidence supporting compliance with the HIPAA regulations and the established policies and procedures. This is a definitely a HUGE red flag in HIPAA compliance and a “hot” area for auditors.