OCR released the details of the HIPAA audit protocol. There aren’t a lot of surprises in their list of items they look for during an audit. The protocol looks like a summary of the HIPAA Privacy and Security Rules with the addition of the Breach Notification Rule. There are 77 items for HIPAA Security and 88 items for Privacy and Breach Notification. The audit protocol highlights the fact that an organization has to produce an enormous amount of information to demonstrate compliance with HIPAA and HITECH.
Below are the first 6 (out of 40) required security implementation specifications (click on any of the items below to go the OCR website). The remaining 71 specifications are addressable (which does not mean they are optional but an organization has to document how they are implementing the specification or why they are not implementing the specification.)
Organizations need to address the HIPAA and HITECH requirements now before they receive an audit letter. There is not enough time to put the 165 items in place after receiving an audit letter. What would you do if your organization was asked to demonstrate compliance with each of the 165 requirements?