In April 2016, the U.S. Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) issued its updated Phase 2 Audit Protocol. Its revisions included information on audits of business associates—that is, what portions of the protocol are applicable to business associates and what portions are applicable only to covered entities, including a Business Associate Tracking Guide; what information OCR will request from covered entities or business associates (collectively entities) in the audit process; and, perhaps most importantly, what information should be included in required policies and procedures.

The guidance as to what portions of the protocol are applicable only to business associates specifies, for example, under 45 C.F.R. § 164.308(b)(1), Business Associate Contracts and Other Arrangements:

[This inquiry is for BAs only]
Based upon the selection methodologies from the above paragraph, determine whether the business associate contract identifies if it utilizes any subcontractors. If so, review the business associate agreement to examine if (i) Omnibus provisions are required and (ii) all subcontractors who create, receive, maintain, or transmit electronic protected health information on a business associate’s behalf maintain business associate agreements equal to or greater than the business associate agreement with the original covered entity.

Such guidance should help business associates to determine what compliance issues are applicable to them without having to worry whether an issue applies to them or not.

The OCR sample Business Associate Tracking Template included in the revised protocol contains a list of the specific information that OCR will request from a covered entity or business associate as part of these audits. If the covered entity or business associate receives a request for information, it should be able to quickly produce all of the following information for each business associate:
• Name of business associate.
• Type of service provided.
• Contact information for two points of contact at the business associate.
• Website URL for the business associate.

Covered entities and business associates do not have to use the OCR tracking template. Regardless, they should review their business associate tracking documents to ensure that they have all of the information that will be requested by OCR as part of an audit.

The guidance as to what information OCR will request from entities not only will be important to those selected for audit but also will provide guidance to all entities to help them get or remain in compliance.

Entities should, regardless of whether they are actually selected for an audit, use the guidance as to what information should be included in required policies and procedures (although the protocol also provides guidance on what should be included in addressable policies and procedures) to ensure that their policies are compliant. The guidance is quite specific. For example, § 164.310(d)(1), Device and Media Controls, reads:

• Does the entity have policies and procedures in place that govern the receipt and removal of hardware and electronic media that contain ePHI, into and out of a facility, and the movement of these items within the facility?
• Does the entity govern the receipt and removal of hardware and electronic media that contain ePHI, into and out of a facility, and the movement of these items within a facility?
• Obtain and review the policies and procedures related to device and media controls. Evaluate the content in relation to the specified performance criteria for the proper handling of electronic media that contain ePHI.

Elements to review may include but are not limited to the following:
• How the types of hardware and electronic media that must be tracked (both entity owned and personally owned) are identified.
• The process of tracking all types of hardware and electronic media that contain ePHI.
• Workforce members’ roles and responsibilities in the device and media control process.
• Authorization process for the receipt and removal of hardware and electronic media that store ePHI.
• How the release of hardware, software, and ePHI data out of entity control is managed and documented.

Obtain and review documentation demonstrating the movement of hardware and electronic media containing ePHI into, out of, and within the facility. Evaluate and determine whether movement of hardware and electronic media is being properly tracked, documented, and approved by appropriate personnel.

Obtain documentation demonstrating the types of security controls implemented for the facility regarding movements of workforce members’ assigned hardware and electronic media that contain ePHI into, out of, and within the facility. Evaluate and determine whether security controls are appropriate, have been properly implemented, and minimize possible vulnerabilities.

Once the audit requests have been initiated, entities that are selected for the OCR Phase 2 HIPAA Compliance Audit will have only ten business days to respond, so it is crucial to have the information available.

The entire Protocol is available at HHS.gov, Health Information Privacy, Audit Protocol – Updated April 2016.

You may want to consider a way to document that someone outside the facility who has received PHI, electronic or otherwise, from within your facility has promised to safeguard that PHI. Jon Tomes has drafted a sample Acknowledgement of Receipt for you, and it is now available on the Premium Member section of our website, veteranspress.com.