OCR has posted the following information to their website:
1) Guidance for 2016 HIPAA Desk Audits
Two weeks ago, covered entities received notification of their selection as the subjects of an Office for Civil Rights (OCR) desk audits of compliance with the HIPAA Security, Privacy and Breach Notification Rules. They were also invited to participate in a webinar held on Wednesday, July 13, where OCR staff walked through the processes they can expect for the audit and expectations for their participation. Desk audits require entities to submit documentation of their compliance with requirements of the notice of privacy practices, access, breach notification, risk analysis and risk management standards. Desk audits of business associates will take place this Fall.
To respond to the questions we received during the webinar and through emails, OCR developed three targeted guidance documents. These documents were sent to the audited entities and are also available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html (http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html) . One is a comprehensive question and answer listing. The second puts the specific audit document submission requests in context with the rule requirements and associated protocol audit inquiries, as well as the related questions asked by selected entities. The entire protocols are available on the OCR website; for this guidance we extracted from those protocols the specific desk audit provisions, and added the audit inquiries and Q&A. Finally, OCR has posted the slides used in the webinar. The guidance should be helpful to audited entities as well as other covered entities and business associates seeking assistance with improving their compliance with these important requirements of the HIPAA Rules.
2) New FAQ: HIPAA and Unique Device Identifiers
OCR has posted a new FAQ on HIPAA and Unique Device Identifiers (UDI), which clarifies that the device identifier (DI) portion of a UDI can be part of a limited or de-identified data set as defined under HIPAA. While the HIPAA Privacy Rule prohibits the inclusion of “device identifiers and serial numbers” in both limited data sets and data sets that are de-identified in accordance with the “de-identification safe harbor” provisions, the guidance explains that the DI portion of the UDI is not the type of “device identifier” to which these HIPAA Privacy Rule provisions refer.
You may find the new FAQ on OCR’s website at: https://www.hhs.gov/hipaa/for-professionals/faq/2071/can-device-identifier-di-portion-unique-device-identifier-udi-be-part-limited-or-de-identified
To learn more about OCR, visit our website at www.hhs.gov/ocr.