The federal department of Health and Human Services (HHS) has released a comprehensive audit protocol that describes in detail the manner in which it will audit compliance by covered entities with the HIPAA privacy, security, and breach-notification rules. The protocol gives group health plans and other covered entities a useful (albeit thorough) checklist for evaluating their compliance with these rules and, if necessary, taking steps to shore up their records, policies, and procedures on issues HHS is sure to review in the event of an audit.
There are 165 separate audit points in the protocol, and not all of them will be relevant for every covered entity. But for group health plans, the following will be of particular interest:
- Organizational Requirements for Group Health Plans. "Inquire of management as to whether the plan documents restrict the use and disclosure of PHI by the plan sponsor. Obtain and review a sample of plan documents. Verify if the use and disclosure of PHI by the plan sponsor is restricted. Verify what information the sponsor does obtain and how it is used."
- Notice of Privacy Practices. "Obtain and review the notice of privacy practices and evaluate the content relative to the specified criteria given to individuals by the covered entity." And for group health plans specifically: "Obtain and review the formal or informal policies and procedures in place regarding the provision of the notice of privacy practices. For a selection of individuals, obtain and review the individuals' files for the past year to identify how frequently notices are provided and how individuals covered by the plan may obtain the notice of privacy practices."
- Training. "Inquire of management as to whether training is provided to the entity's work force on HIPAA Privacy Standards. Obtain and review documentation to determine if a training process is in place for HIPAA privacy standards. *** For a selection of new hires within the audit period, obtain and review documentation showing training on HIPAA privacy compliance has been completed."
- Policies and Procedures. "Inquire of management as to whether policies and procedures with respect to PHI are in place that are designed to comply with the standards, implementation specifications, and other requirements of the HIPAA Privacy Standards."
- Security Rule - Required Risk Assessment. "Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity's environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI."