make a good business better

Blog Information Security

Print Divider Print Divider Branding

Healthcare Organizations and OCR Audits: Be Prepared

11/25/2014  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security


Social Logo Social Logo Social Logo Social Logo

If you receive notification from the OCR that you have been chosen for an OCR audit, don’t panic! The first step is to understand the nature of the request. Is it a result of a complaint? A breach you have reported? A random OCR audit? If your OCR audit is part of the ongoing OCR audit program, be aware that the purpose of the random audits is to gauge the compliance of the larger population. Not just you. The OCR has been charged with educating and equipping organizations with compliance strategies, and part of that mission necessarily includes a certain number of audits to find out how organizations are performing. The OCR plans to send out surveys to 800-1,000 entities. The surveys will be used to develop a list of potential audit targets. And unlike the 2012 OCR audits, the third wave of audits expected in 2015 will include business associates.

An OCR Audit Preparation Checklist

Here’s what you will want to be prepared with if you are selected for a 2014-15 OCR audit:

  1. Risk analysis
  2. Evidence of a risk management plan (e.g. list of known risks and how you are dealing with them)
  3. Policies and procedures and descriptions as to how they were implemented
  4. Inventories of business associates and the relevant contracts and BAAs
  5. An accounting of where ePHI is stored (internally, printouts, mobile devices and media, third parties)
  6. How you monitor mobile devices and mobile media (thumb drives, CDs, backup tapes)
  7. Documentation on breach reporting policies and how you have responded to breaches
  8. A record of security training that has taken place
  9. Evidence of encryption capabilities

A significant number of this year’s audits will be ‘desk’ audits, so OCR personnel may not be not be visiting you on site. Also, the 2012 audits were outsourced, but due to budget constraints, OCR personnel will conduct the upcoming audits. What this means to you is that if you are selected for an audit, you will be working directly with the OCR, but from a remote location. If you are selected for an on-site audit, you can expect your audit to be more in-depth than those conducted in the 2012 pilot round. Important note: Don’t go easy on your risk analysis. The OCR will be expecting organizations to assess their own procedures and the commensurate safety of ePHI with a high degree of objectivity. If you are introducing new business strategies, installing new information systems or targeting new markets, you will be expected to analyze your risk for each initiative. In their pilot program, the OCR found that two-thirds of the organizations they audited did not have a complete and accurate risk analysis.

This time around, we would encourage you not to be one of those. Learn more to prepare your firm for the upcoming OCR audit in the new guide, OCR Audits Demystified.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!‚Äč

ocr audit

Posted in: Healthcare