Contents of the HIPAA audit protocol used in 2016

Office of Civil Right (OCR) published an audit protocol to provide clarity on the HIPAA standards that auditors may assess during an audit. OCR first made its HIPAA audit protocol available in 2012 in connection with its pilot audit program. In 2016, OCR released an updated audit protocol, which includes changes made by the HIPAA Omnibus final rule from 2013.
The audit protocol identifies “key activities” (HIPAA standards) and provides information on the legal requirements for each standard (“established performance criteria”), related to the HIPAA requirements.

Audit Type & Section

Key Activity

Established Performance Criteria

Privacy
§164.502(a)(5)(i)

Prohibited uses
and disclosures-
Use and disclosure
of genetic information
for underwriting
purposes

§164.502(a)(5)(i) Use and disclosure of genetic information for underwriting purposes: Not withstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan:

(A) Except as provided in paragraph (a)(5)(i)(B) of this section:

(1) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);

(2) The computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);

(3) The application of any pre-existing condition exclusion under the plan, coverage, or policy; and

(4) Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

(B) Underwriting purposes does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.

Read the complete list at HHS

Also, although the audit protocol’s requirements depend on the specific HIPAA standard being assessed, there are some recurring themes that indicate what the auditors may be looking for. For example, many of the protocols direct auditors to ask whether policies or procedures exist for a given HIPAA standard, and whether these policies and procedures have been updated on a Periodic basis.

Source: http://advisornetbenefits.com/wp-content/uploads/HIPAA-Compliance-Review-Audit-Protocol.pdf