OCR Issues New HIPAA Audit Protocol
Last week, federal regulators released a revamped protocol to use in phase two of HIPAA compliance audits of covered entities and business associates.
The Department of Health and Human Services’ Office for Civil Rights posted this updated protocol on its website with a request for feedback.
“It is refreshing to see that the OCR has refined many of the outdated or ‘grey area’ controls found in the previous revision of the OCR Audit protocol,” said Sword & Shield Vice President of Services Fred Cobb. “Healthcare consulting companies like us that conduct HIPAA risk and gap assessments of both covered entities and business associates are well aware of the loose interpretation of the existing HIPAA technical and administrative safeguards.
“Because the HHS/OCR standards sometimes do not do enough to mandate that proper security measures are in place, or are often unclear with the requirements to meet a particular control, improved control frameworks such as Sword & Shield’s HIPAA Compliance Program and/or HITRUST are recognized as taking the security of ePHI to the next level,” he said. “It is also great to see that the new OCR protocol draws clearer distinctions between the requirements for covered entities and for business associates.”
Cobb said Sword & Shield has immediately adopted the new protocol.
To read more about the protocol, please visit the OCR’s website.
Please also see: