Recently I was asked about rumors regarding HIPAA Audits.  The person that asked me did it in a jokingly matter similar as if he was asking about the last time I was visited by the Easter Bunny. The reality of this issue is that HIPAA Audits are real and if nothing they will be more regulars than in the past.  After a two year Pilot program the Department of Health and Human Service (HHS) will roll out a permanent HIPAA Audit program.  Per the HHS web site: “The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

• The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
• The protocol covers Security Rule requirements for administrative, physical, and technical safeguards

As of March 2014 they have not incorporated provisions from the Omnibus Rule but I’m pretty sure that those are forthcoming.  In the meantime they key issues to consider are:

Section	Established Performance	Criteria
§164.308(a)(1):	Security Management Process §164.308(a)(1)(ii)(a) - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity,...	Conduct Risk Assessment
§164.308(a)(1)(i):	Security Management Process - Although the HIPAA Security Rule does not require purchasing any particular technology, additional hardware, software, or services may be ne...	Acquire IT Systems and Services
§164.308(a)(1)(ii)(D):	Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incide...	Develop and Deploy the Information System Activity Review Process
§164.308(a)(1):	Security Management Process §164.308(a)(1)(ii)(b) - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to compl...	Implement a Risk Management Program
§164.308(a)(2):	Assigned Security Responsibility - the responsibility for security should be assigned to a specific individual or organization to provide an organization focus and importanc...	Select a Security Official To Be Assigned Responsibility for HIPAA Security
§164.308(a)(2):	Assigned Security Responsibility - the responsibility for security should be assigned to a specific individual or organization to provide an organization focus and importanc...	Assign and Document the Individual's Responsibility
§164.308(a)(3)(ii)(A):	Workforce security - Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in lo...	Implement Procedures for Authorization and/or Supervision
§164.308(a)(3):	Workforce Security - Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as pro...	Establish Clear Job Description and Responsibilities
§164.308(a)(3):	Workforce Security - Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as pr...	Establish Criteria and Procedures for Hiring and Assigning Tasks
§164.308(a)(3):	Workforce Security - Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as pro...	Establish a Workforce Clearance Procedures

The good news, we have all these topics covered in our Compliance Suite software so you can contact Taino Compliance or one of our Partners for more information.  If you are up to a challenge you can do it yourself and get more information by going to: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html