The Office of Civil Rights Audit Protocol

Recently, the Office of Civil Rights (OCR) published their protocol for HIPAA audits.  The scope includes

Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.

Security Rule requirements for administrative, physical, and technical safeguards

Breach Notification Rule requirements

For example, there are 77 performance criteria and corresponding audit procedures for the Security rule.  Most validate that appropriate processes and procedures are in place.

The OCR protocol provides a useful rubric for assessing the status of an organization's compliance.  It's well done.

The protocol is not intended to tell organizations how to develop these policies.    Luckily, NIST provides detailed implementation guides including standard practices and best practices.

As part of my Summer of Compliance work, we're using the NIST 800 framework as a means of benchmarking our policies and technologies.  Since NIST 800 is exhaustive (everything from password management to IP phone configuration), we needed a focused subset.

NIST 800-66 provides guidance for implementing the HIPAA Security Rule and includes a crosswalk (Appendix D) of the Security Rule requirements against the security controls identified in NIST SP 800-53, Recommended Security Controls for Federal Information Systems.  The NIST SP 800 publications that discuss those security controls in greater detail are also referenced including implementation specifications within the Administrative, Physical, and Technical Safeguards sections of the Security Rule.

Compliance is a journey.   The OCR audit protocol plus a subset of  NIST 800 implementation guides provide a roadmap for compliance success.