make a good business better

Blog Information Security

Print Divider Print Divider Branding

Healthcare Organizations and OCR Audits: Be Prepared

10/02/2018  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security


Social Logo Social Logo Social Logo Social Logo

If you receive notification from the OCR that you have been chosen for an OCR audit, don’t panic! The first step is to understand the nature of the request.

  • Is it a result of a complaint?
  • A breach you have reported?
  • A random OCR audit?

If your OCR audit is part of the ongoing OCR audit program, be aware that the purpose of the random audits is to gauge the compliance of the larger population. Not just you. The OCR has been charged with educating and equipping organizations with compliance strategies, and part of that mission necessarily includes a certain number of audits to find out how organizations are performing. 

An OCR Audit Preparation Checklist

Here’s what you will want to be prepared with if you are selected for an audit:

  1. Risk analysis
  2. Evidence of a risk management plan (e.g. list of known risks and how you are dealing with them)
  3. Policies and procedures and descriptions as to how they were implemented
  4. Inventories of business associates and the relevant contracts and BAAs
  5. An accounting of where ePHI is stored (internally, printouts, mobile devices and media, third parties)
  6. How you monitor mobile devices and mobile media (thumb drives, CDs, backup tapes)
  7. Documentation on breach reporting policies and how you have responded to breaches
  8. A record of security training that has taken place
  9. Evidence of encryption capabilities

The OCR will be expecting organizations to assess their own procedures and the commensurate safety of ePHI with a high degree of objectivity. If you are introducing new business strategies, installing new information systems or targeting new markets, you will be expected to analyze your risk for each initiative. In their pilot program, the OCR found that two-thirds of the organizations they audited did not have a complete and accurate risk analysis.

This time around, we would encourage you not to be one of those. Learn more to prepare your firm for the upcoming OCR audit in the guide, OCR Audits Demystified.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!​

ocr audit

Posted in: Healthcare